In 2016, Uber experienced a serious data breach that resulted in the theft of private information of 57 million users and drivers. Fearing reputational damage, Uber reacted by paying a ransom of US$100,000 and, according to reports, attempted to conceal the incident. Last month, Uber revealed the breach to the public who, under the EU’s incoming legislation, would have been required to have been notified within 72 hours of the breach being detected.
The General Data Protection Regulation (GDPR) is an attempt by the European parliament to have a single standard of protecting data across the EU’s 28 member states. Under certain circumstances, GDPR can apply to companies outside of the EU, and encompasses a wide interpretation of what constitutes “personal data.” Furthermore, its jurisdiction extends past data controllers to companies that provide additional services including cloud services (processors). While for some companies, measures to bring their processes and systems into compliance could be expensive, failure to comply with the new rules could be financially damaging. Under GDPR, “the most serious infringements” can be fined up to €20 million or 4% of annual global turnover (whichever is greater).
How do you need to respond?
The legislation means that companies not only need to show they have taken reasonable precautions to protect data, but they also need to have procedures in place to respond appropriately if an incident were to occur. To be compliant, victims of a data breach need to report incidents to supervisory authorities and all those affected within 72 hours of detection.
The GDPR is far reaching and many companies are unsure of how they might be affected by the new regulation or how to prepare to ensure compliance. The UK’s Information Commissioner’s Office (ICO) provides a detailed guide to the new law, as well as advice in the form of 12 preparatory steps. In its advisory, the ICO highlights awareness of the nature and nationality of the data held, as well as impact assessments and procedural arrangements for crisis management.
A central theme of the GDPR framework is accountability. NYA can ensure companies have the necessary processes in place to mitigate against the threat of data breaches. This may include reviewing existing policies, building or testing protection systems for vulnerabilities or providing an assessment of the threats you need to be prepared for.