When a business or individual becomes aware of a data breach that involves a European citizen’s personal information, it must file a GDPR data breach notification or it can be liable for significant penalties. However, the notification only needs to be filed if the compromised data has the potential to harm a person’s rights and freedoms.
Although the GDPR was enacted in Europe, the regulation applies to businesses in other countries that handle data belonging to European citizens.
In 2012, the European Commission laid down plans to reform data protection in the European Union. The current European data privacy laws couldn’t keep pace with sophisticated cybercrime. The proposals eventually became the General Data Protection Regulation (GDPR).
The GDPR was adopted on April 14, 2016, and became fully enforceable beginning May 25, 2018. The GDPR is now central to Europe’s cybersecurity laws.
The GDPR covers more than protection of data from data breaches. It also contains a bundle of data privacy provisions that apply to European citizens, including:
These are just some of the rights to data privacy covered by the GDPR.
Under the GDPR, all businesses are required to report a data breach that involves personal information within 72 hours of becoming aware of the breach. The incident must be reported to the relevant supervisory authority.
Most breaches should be reported to organizations such as the ICO. However, there are exceptions.
A data breach doesn’t have to be reported if it is “unlikely to result in a risk to the rights and freedoms of natural persons.” Unfortunately, this status can be subjectively assessed and inadequate when performed by company officials, which results in unreported breaches.
A GDPR data breach notification must include the following details:
Thus far, several hundred GDPR enforcements and fines have occurred, including several large corporations. For instance, the UK’s ICO fined British Airways £183 million for a GDPR breach that leaked data from 500,000 users.
Regardless of where your business is located, you have to be GDPR-compliant. If you hold data on just one European citizen, you’re bound by GDPR. To ensure your business gets and remains compliant, it’s best to have a GDPR audit performed by a professional.
In addition to a professional GDPR audit, you’ll also need a third-party vendor audit. Under GDPR, you’re responsible for how third parties process your customer data.
This means if you use non-proprietary software to process payments, manage memberships, and collect email addresses, those companies need to be GDPR compliant, or your company could be held responsible in the event of a data breach.
If you’re not absolutely certain your third-party vendors are GDPR compliant, Panorays can help. We provide third-party security management to help determine whether a vendor is compliant with the regulations your business is required to adhere to.
If an audit determines a vendor is not compliant, we’ll provide actionable insights your vendor can take to remediate all compliance gaps. We want to work with you and your vendors to make sure none of you gets hit with an unexpected fine for a GDPR violation.
Learn more about the important questions to ask your third parties about their GDPR readiness, or contact us to learn how we can help reduce your risk of liability under the GDPR.