Why you should have a Personal Data Breach Policy and what should be in it?

You should have a Personal Data Breach Policy that sets forth a plan on how to respond to a Personal Data Breach.  Having and implementing such a plan helps protect an organization from a Personal Data Breach and enable the timely response if a Personal Data Breach is suspected or occurs.

Given these reasons for having a Personal Data Breach Policy, an organization should consider having a Personal Data Breach Policy that discusses:

  • How to determine whether a Personal Data Breach has occurred
  • How to preliminarily address the incident
  • How to investigate the incident
  • How to document the incident and what information to include in the documentation for both
    • Internal documentation (e.g. recordkeeping)
    • External documentation (e.g. notifying regulators and/or individuals)
  • The roles of the personnel who should be on the Incident Response Team
    • Internal personnel (e.g. Chief Security Officer)
    • External personnel (e.g. outside counsel)
  • The need to determine any remediation strategy
  • Examples of potential remediation strategies
  • The need to include in third-party contracts the responsibilities of processors in the event of a suspected or identified Personal Data Breach

These topics are examples of subjects that you should consider including in a Personal Data Breach Policy.  There may be additional subjects that it may be appropriate for you to include in such a Policy, and it may, under some circumstances, be appropriate for you to not include some of the above listed topics in your Personal Data Breach Policy.

This blog is the 28th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  How is security of processing assessed?

What needs to be in a GDPR personal data breach notification?

If a personal data breach communication must be provided to an individual, it must describe in clear and plain language the nature of the personal data breach.   If a notification to a supervisory authority of a personal data breach must be given, the description of the nature of the personal data breach should include if possible:

  • The categories and approximate number of individuals concerned, and
  • The categories and approximate number of personal data records concerned.

The communication to the individuals and the notification to the supervisory authority also should contain:

  • The name and contact details of your data protection officer or other contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, if appropriate, measures to mitigate its possible adverse effects.

If all this information cannot be provided to the supervisory authority at once, it may be provided as soon as it becomes available.

If the controller does not provide a personal data breach communication to individuals, the supervisory authority, if it decides none of the conditions excusing the providing of a communication have been met, may require the controller to provide a communication, after having considered the likelihood of the personal data breach resulting in a high risk to the rights and freedoms of individuals.

This blog is the 27th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  Why you should have a Personal Data Breach Policy and what should be in it?

What is a data breach under the GDPR and what do you do when one happens?

Under the GDPR, the term “personal data breach” means a breach of security that leads to the:

  • Accidental or unlawful destruction or loss of,
  • Accidental or unlawful alteration of, or
  • Unauthorized disclosure of, or access to,

personal data that have been transmitted, stored or processed in some other way. 

After becoming aware of a personal data breach, you without undue delay must notify:

  • The supervisory authority, if you are the controller, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals
    • The notification must be given if feasible within 72 hours after you became aware of the personal data breach
    • Where notification is not made within 72 hours, the notification must set forth the reasons for the delay

This notification is unnecessary if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

  • The controller, if you are the processor, without undue delay.

When the personal data breach is likely to result is a high risk to the rights and freedoms of individuals, the controller must communicate with the individual without undue delay.  This communication is unnecessary if any of the following conditions are met:

  • Appropriate technical and organization protection measures have been implemented by the controller, and those measures were applied to the personal data affected by the personal data breach (e.g. encryption)
  • Subsequent measures have been taken by the controller that make high risks to the rights and freedoms of individuals no longer likely to materialize
  • Disproportionate effort is involved.  In this case, a public, or similar equally effective, communication should be given to individuals

The controller must keep a record of any personal data breaches.  This record should contain:

  • The facts relating to the personal data breach,
  • Its effects, and t
  • The remedial action taken.

This blog is the 25th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  What needs to be in a personal data breach notification?

What needs to be in the agreement between the controller and the processor?

Processing by a processor must be governed by an agreement that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of individuals and obligations and rights of the controller.  That agreement must provide, in particular, that the processor:

  • Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country;
  • Ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as varying likelihood and severity for the rights and freedoms of individuals;
  • Does not engage a sub-processor without prior specific or general written authorization of the controller, and in the case of a general written authorization does not add or replace a sub-processor without informing the controller so the controller has the opportunity to object to the addition or replacement;  
  • Applies the same data protection obligations as set out in the agreement between the controller and the processor to the relationship between the processor and the sub-processor with respect to processing on behalf of the controller;
  • Remains fully liable to the controller for the performance of the sub-processor’s obligations;
  • Taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the controller’s obligation to respond to requests for exercising individual rights;
  • Taking into account the nature of the processing and the information available to the processor, assists the controller in ensuring compliance with the obligations to:
    • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
    • In the case of a personal data breach, notify the supervisory authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals;
    • Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, communicate the personal data breach to the individuals without undue delay;
    • Where a type of processing uses new technologies and taking into account the nature, scope, context and purposes of the processing is likely to result in high risk to the rights and freedoms of individuals, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (DPIA); and
    • Consult the supervisory authority prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk.
  • At the choice of the controller, delete or return all personal data to the controller after the end of providing services relating to processing; and
  • Make available to the controller all information necessary to demonstrate compliance with the foregoing obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. 

If the processor engages a sub-processor with respect to processing on behalf of the controller, the exact same provisions in the agreement between the controller and the processor must be in the agreement between the processor and the sub-processor.

This blog is the 24th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  What is a data breach under the GDPR and what do you do when one happens?

What kind of agreements do you need if you are a processor or use a subprocessor?

Whenever you as a controller use a processor to process personal data for you, you need to make sure that the processor will provide appropriate technical and organizational security measures that protect the rights of individuals.  In order to do that, you must have a written agreement between you and the processor.

If you are a processor who processes personal data for a controller or if you process personal data for a processor (i.e. a sub-processor), then you must have a written agreement between you and the controller or between you and the sub-processor.  An agreement between a processor and a sub-processor must contain the same data protection provisions as the agreement between the controller and the processor.   If the sub-processor fails to fulfill its obligations under the agreement with the processor, the processor remains fully liable to the controller for the performance of the sub-processor’s obligations.

A processor cannot engage or replace a sub-processor without the authorization of the contractor.  If a processor determines the purposes and means of processing of personal data, then it is no longer a processor and is considered a controller with respect to that processing

This blog is the 23rd in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces part of one of the eight topics in GDPRsimple.

Next blog:  What needs to be in the agreement between the controller and the processor? 

Do you use a processor to process or are you a processor who processes personal data?

As was discussed in an earlier blog, there is a distinction between a controller and a processor. 

  • A controller determines the purposes and means of processing of personal data.  The controller, taking into account the nature, scope, context, and purpose of the processing and the risks of varying likelihood and severity for the rights and freedoms of individuals, must implement appropriate technical and organizational measures.
  • A processor processes personal data on behalf of the controller. 

Under the GDPR, it is important to know whether you use a processor to process personal data or whether you are a processor who processes personal data.  The reason is that the GDPR requires the controller to obtain from the processor certain promises before the controller can use a processor.  Likewise, if you are a processor, the GDPR requires you to make certain promises to the controller before you can act as a processor and requires you to obtain from sub-processors certain promises before you can use them as sub-processors.  

Until it has obtained the prior specific or general written authorization of the controller, the processor cannot engage a sub-processor.  Where the prior written authorization is general, the processor must inform the controller of any intent to add or replace a sub-processor.  This notice is so the controller has the opportunity to object to any change in sub-processors. 

If a processor determines the purposes and means of processing of personal data, then the processor will be considered to be a controller with respect to the processing.

Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers.  Joint controllers must set forth their respective roles and responsibilities with respect to individuals, but individuals may exercise their rights against each of the joint controllers.

The processor, and any person acting as an agent of the controller or the processor, who has access to personal data, cannot process that personal data unless instructed to do so by the controller or unless required to do so by law.

This blog is the 22nd in a series of blogs that explains, in bit size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, that can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one the topics in GDPRsimple.

Next blog:  What kind of agreements do you need if you are a processor or use a subprocessor?

What does it mean to use contract as a legal ground for processing personal data?

Contract is the third most common legal basis for organizations to process personal data.  In order to determine whether a controller can use contract as the legal ground for processing personal data, ask whether the processing is:

  • Necessary
  • For the performance of a contract to which the individual is a party 
  • In order to take steps at the request of the individual prior to entering into a contract

Performance of a contract to which the individual is a party must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract.  It is important to determine the exact rationale of the contract, i.e., its substance and fundamental objective.   This legal ground only applies to “performance” of a contract and does not apply to all actions taken in the execution of a contract.  The fact that some data processing is covered by a contract does not mean that the processing is “necessary” for its performance.  Common examples of processing for the performance of a contract are processing an individual’s address so that goods bought online can be delivered or processing credit card details in order to pay for goods bought online.

Processing that takes place “prior” to entering into a contract covers precontractual actions provided that the steps are taken at the request of the individual and are not initiated by the controller or a third party.  Common examples of processing prior to entering into a contract are individuals requesting retailers to send them offers for products and the retailers keeping the address details and information on the offers requested for a limited time period or an individual requesting a quote for car insurance and the insurer using the make and age of the car in order to prepare the quote.  On the other hand, direct marketing at the initiative of the retailer is not an example of processing at the request of the individual.

This blog concludes the three most common legal grounds for processing personal data – consent, legitimate interest and contract.  The next blog will start a discussion of the rights individuals have under the GDPR, beginning with the different types of privacy notices there are.

This blog is the 21st in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation.

Next blog:  Do you use a processor to process or are you a processor who processes personal data?

How is a legitimate interest assessment conducted?

In order for a controller to use legitimate interest as the legal ground for processing personal data, the controller will need to conduct a legitimate interest assessment (LIA).  A LIA consists of at least five parts:

  • The purpose for the processing of the personal data 
  • The necessity of the processing  
  • If the processing is necessary, whether the impact on individuals overrides the organization’s legitimate interests
  • If the impact on individuals overrides the organization’s legitimate interest, whether safeguards sufficiently minimize the impact on individuals
  • If safeguards do not sufficiently minimize the impact on individuals and security risks exist, whether technical and organizational security measures sufficiently minimize the impact on individuals

The purpose of the processing is where you identify your legitimate interest.  You (or a third party) must have a clear and specific benefit or outcome in mind.  A vague or generic business interest is not sufficient.  The recitals to the GDPR recognize preventing fraud, ensuring network and information security, or indicating possible criminal acts or threats to public security as a legitimate interest and indicate that processing employee or client data, direct marketing or administrative transfers within a group of companies may be a legitimate interest.  These are not the only situations that are or might be a legitimate interest, but they are good examples.

The processing must be necessary for the purposes of the identified legitimate interest.  The processing doesn’t have to be essential, but it does have to be a proportionate way of achieving the purpose.  You need to consider whether there is a less intrusive way to achieve the purpose, and if there is a less invasive way, then the more invasive way is not necessary.

The last three parts make up the balancing test.  You need to consider the interests and fundamental rights and freedoms of the individual and whether they override your identified legitimate interest.  If the impact on individuals overrides your legitimate interest, consider whether there are any safeguards that can be put into place to reduce or mitigate this risk.  If safeguards do not sufficiently mitigate the impact on individuals and security risks exist, then consider whether technical and organizational security measures can be put into place to reduce or mitigate these risks. 

If your LIA concludes that the impact on individuals overrides your legitimate interest, then you are not able to process personal data for the identified particular purpose using legitimate interest as the legal ground for processing.  However, you may use another legal ground for processing if it applies. 

This blog is the 20th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation. 

Next blog:  What does it mean to use contract as a legal ground for processing personal data?

What does it mean for an organization to have a legitimate interest to process personal data?

Legitimate Interests is one of the more common legal grounds for a controller to process personal data.  Legitimate interest is different from consent; it is not processing that the individual has specifically agreed to; it is not processing linked to a specific purpose (like the one specified in a contract with the individual (contract as a legal ground to process will be discussed in a future blog); it is flexible and could theoretically apply to any type of processing.  Since consent is more restrictive under the GDPR, some think of legitimate interest as the catch all basis for processing personal data.  This view is incorrect.

In order to decide whether legitimate interest can be used as a legal ground to process personal data, you must conduct a balancing test to determine whether:  

  • The impact on individuals overrides the organization’s legitimate interests
  • If the impact on individuals overrides the organization’s legitimate interests, safeguards sufficiently minimize the impact on individuals
  • If safeguards do not sufficiently minimize the impact on individuals and security risks exist, security measures sufficiently minimize the impact on individuals.

If safeguards and security measures do not sufficiently minimize the impact on individuals, then legitimate interest cannot be used as the legal ground to process.  In order for processing of personal data to proceed, another legal basis for processing must exist.

It is not only the organization’s legitimate interests.  It could also be the legitimate interests of any third party.  The “third party” could be third party organizations or third party individuals.  Also, the legitimate interests of the public in general may play a part when deciding whether the legitimate interests in the processing override the individual’s interests and rights.  If the processing has a wider public interest for society at large, then this may add weight to your interests when balancing those against those of the individual.

If you think you want to use legitimate interest as the legal ground to process personal data, then you will have to do a legitimate interest assessment.  You must perform the legitimate interest assessment before you start processing the personal data.  How to conduct a legitimate interest assessment will be discussed in the next Blog.

This blog is the 19th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation. 

Next blog:  How to conduct a legitimate interest assessment

How to get consent from individuals to process their data?

Consent is one of the most common legal grounds for a controller to process personal data.  Consent of the individual means any:

  • Freely given (i.e. real choice and control).  An example is when individuals have to agree to get access to a website; then they do not have choice and control and consent is not freely given.  Employers and other organizations in positions of power over individuals should avoid relying on consent as it is unlikely that it is freely given.
  • Specific (i.e. the description of the reason for the purpose of the processing must be granular and must be separate from information about other matters).  An example is when a website seeks to market to an individual by mail and by phone, the individual must be able to consent separately to mail and to phone.
  • Informed (i.e. the individual must know the controller’s identity, the purpose of  each processing operation for which the controller is seeking consent, the type of data that will be collected and used, the existence of the right to withdraw consent, if relevant the existence of the right not to be subject to automated decision-making, including profiling, and the possible risks of transferring personal data outside the EU).
  • Unambiguous indication of the individual’s agreement to the processing of personal data (i.e. there must be a clear affirmative and deliberate action).  An example is when an individual checks a checkbox.

All of these requirements must be met.  Furthermore, individuals must be able to withdraw their consent, and it must be easy for them to do so.

The subject of the next blog is one of the other common legal grounds for a controller to process personal data:  legitimate interests.

This blog is the 18th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool, can help SMEs implement the GDPR and demonstrate their implementation. 

Next blog:  What does it mean for an organization to have a legitimate interest to process personal data?