The GDPR (The General Data Protection Regulation ) is a regulation that ensures that businesses in the E.U. protect personal data they collect and handle from E.U. citizens. The law came into action in 2018 and revolutionized how companies approach data protection and data breaches in the E.U. Notably, the law affects companies based inside and outside the E.U., as long as they have business with E.U. citizens’ data. For many U.S. based companies, the GDPR is a tough call, especially with crippling penalties that can run up to €20 million.
What Is A Breach Under the GDPR?
The GDPR defines a data breach as a security opening that causes unlawful access, disclosure, alteration, and loss of personal data. After noticing a data breach, organizations, also known as data controllers, have 72 hours to report to the data protection authority (DPA). The most common is the U.K. Information Commissioner’s Office (ICO). For U.S. companies with a presence in the E.U., it’s crucial to have an E.U. representative who reports to the DPA.
Data controllers are also required to notify the data subjects (E.U. citizens) about the data breach. If it’s your company, you should describe the concerned data records, the number of data subjects, the likely consequences of the breach, and measures taken or to be taken to control and mitigate the data breach. In addition, you should also share the details of a contact officer where the affected data subjects can ask for more information.
The most crucial step after realizing a data breach is conforming is it’s still ongoing. The security officers in your company should then notify the customers and stakeholders in the business. Ensure smooth internal and external communication to reassure all involved parties.
Unfortunately, laws surrounding data breaches in the U.S. are still murky. There is no clear indication if U.S. companies should report to the E.U. DPA and the states in which they operate in the U.S. Companies may likely upgrade their policies above the existing laws to catch up with the requirements of the GDPR. For instance, the GDPR provides the right for a data subject to have their data erased or forgotten. No such law exists in the U.S.
For now, it’s best to have cyber insurance to protect your business and report any breach to the relevant E.U. authority. In any case, the benefits of complying with the GDPR far outweigh the consequences of non-compliance.