New EU rules raise the bar for data security
16 October 2017
Other articles in this edition of Pulse:
- How to create a cyber resilient supply chain
- ASIC Corporate Plan puts cyber resilience high on the agenda
- Unexpected risks of the IoT revolution: cyber security in medical devices
- Spotlight: Cyber breach at Yahoo
- On the international stage: Australia and the EU launch cyber security plans
In brief: The EU General Data Protection Regulation (GDPR) which will apply from May 2018 includes enhanced data security requirements and obligations to notify regulators and individuals of data breaches. A failure to comply with key provisions may lead to a fine of up to €20 million or 4 per cent of global annual turnover in the previous year, whichever is greater. The GDPR applies not only to companies based in the EU, but also to companies that sell goods or services to EU individuals or that monitor individuals in the EU.
Enhanced security obligations
The GDPR retains the general obligation to take appropriate technical and organisational measures to protect personal data. This is a flexible standard and the measures you will need to take will depend on a range of factors including the sensitivity of the information processed and the wider technological environment. However, it is not necessarily a low standard. If a security breach occurs, regulators will generally assess your security with the benefit of hindsight.
Added to this general obligation are specific obligations under the GDPR to:
- encrypt or pseudonymise data;
- ensure appropriate resilience and business continuity measures; and
- test security measures, for example through penetration testing.
These obligations only apply 'where appropriate' so are not mandatory in all cases. However, if you have not implemented these measures, you are likely to be pressed hard to explain why not.
The GDPR also introduces a new tiered breach reporting obligation. In summary:
- all personal data breaches should be recorded;
- if the personal data breach is a 'risk' for individuals it must be reported to the relevant data protection authority without undue delay and where feasible within 72 hours; and
- if the personal data breach is a 'high risk' for individuals, those individuals must be notified.
There are already some sector-specific breach reporting requirements (for example, in the telecoms and financial services sector) but for most organisations this is new. In many cases, you will need a new internal reporting process to be set up so that suspected breaches can be investigated, analysed and a report made within the strict new deadline.
The new breach reporting requirements differ in a few key ways to the new notifiable data breach scheme (the NDB Scheme) that will take effect in Australia from 22 February 2018:
- Under the GDPR, all personal data breaches must be recorded by organisations, whereas there is no requirement to record any breaches under the NDB Scheme.
- The threshold for notification to the regulator and individuals is slightly lower under the GDPR. Under the NDB Scheme, a breach must be notified if it is 'likely to result in serious harm' to the relevant individuals as opposed to if it is a 'risk' or 'high risk' to individuals.
- The timeline for notification to the regulator is much shorter under the GDPR, being 72 hours. Under the NDB Scheme, an organisation must assess whether the data breach is notifiable expeditiously and at least within 30 days. Once an organisation determines that the breach is notifiable, they must notify the regulator 'as soon as practicable'.
For more on the new NDB Scheme see our September issue of Pulse: Cyber Security. The rules in the GDPR will also be supplemented by the Network and Information Systems Directive which also applies from May 2018. This will impose breach reporting obligations on operators of critical infrastructure and some online operators.
Finally, these changes do not just apply to companies established in the EU. The GDPR has extra-territorial effect and applies to some companies who deal with individuals in the EU. In particular, it captures companies based outside the EU that either:
- offer goods or services to EU individuals; or
- monitor individuals in the EU.
The Office of the Australian Information Commissioner has released guidance to help Australian businesses navigate the impact of this extra-territorial component.
For more on the impact of the GDPR on your business, see Linklaters' GDPR Survival Guide.
- Gavin SmithPartner, Sector Leader, Technology, Media & Telecommunications,
Ph: +61 2 9230 4891
- Valeska BlochPartner,
Ph: +61 2 9230 4030
- Michael ParkPartner,
Ph: +61 3 9613 8331
- Michael MorrisPartner,
Ph: +61 7 3334 3279
- Ian McGillPartner,
Ph: +61 2 9230 4893
- Phil O'SullivanManaging Associate,
Ph: +61 2 9230 4393
- David RountreeManaging Associate,
Ph: +61 2 9230 4773
- Samantha Naylor BrownAssociate,
Ph: +61 2 9230 4458
- Leah WickmanAssociate,
Ph: +61 3 9613 8893
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.