GDPR Compliance News

Requirements for GDPR Personal Data Breach Notifications

On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) becomes enforceable. While there are many requirements to ensure compliance with GDPR, one of those is the mandatory reporting of breaches of personal data.

While security breaches may need to be reported to other entities under state or federal laws, GDPR only requires notifications to be issued when the personal data of EU citizens is breached.

GDPR personal data breach notifications are required for “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

If that is the case, an assessment must be made to determine the level of risk faced by data subjects. If a breach is unlikely to result in a risk of adverse effects, notifications are not required. If the breach does involve increased risk, the controller must notify the competent supervisory authority, or in the event of a data breach affecting individuals in more than one member state, to each relevant competent supervisory authority.

Notifications are also required for individuals impacted by the breach if they face a high risk to their rights and freedoms. In such cases, those individuals should be advised of the nature of the breach and be provided with information on the steps they can take to mitigate risk and protect themselves from the possible consequences of the breach. Those notifications must be issued as soon as is reasonably feasible.

It is essential that policies are developed to enable a fast response to a breach of personal data as part of an organization’s GDPR compliance efforts. Entities only have 72 hours from becoming ‘aware’ of a breach to report the incident. That is a maximum timeframe for reporting. Breach notifications should be issued without undue delay, within that 72-hour window. If the time limit of 72 hours is exceeded, an entity would be liable for a fine for noncompliance, and those fines can be considerable.

The question of when a controller becomes aware of a data breach should be clarified. Awareness of a breach is when the controller can say, with a reasonable degree of certainty, that a breach is likely to have occurred that has resulted in personal data being compromised.

Details of the breach, the actions taken to mitigate risk and control the breach, along with copies of the notifications issued should be retained in case of an audit.

Guidelines on GDPR Personal Data Breach Notifications Issued

Since GDPR regulations on data breaches are complex, to aid understanding and help organizations comply with GDPR, the Article 29 Working Group has released guidelines on GDPR personal data breach notifications. The guidelines confirm the definition of a breach, when breaches are reportable, and provide examples to illustrate when the competent supervisory authority and data subjects must be notified.

The 30-page guidelines on GDPR personal data breach notifications can be downloaded on this link.

A new European data privacy and security law – The General Data Protection Regulation (GDPR) – has been introduced, and while this law applies in Europe, there are also GDPR requirements for US companies, including for organizations in the healthcare sector.

The new law, which has an effective date of May 25, 2018, requires a swathe of protections to be introduced to keep data of EU consumers secure and to protect their privacy. Healthcare organizations are in a good position to comply with GDPR regulations since they are already required to comply with the HIPAA Privacy, Security and Breach Notification Rules. However, being HIPAA compliant is no guarantee that healthcare organizations will not fall afoul of GDPR. GDPR requirements for US companies cover aspects of privacy and security not required for HIPAA compliance.

Why Does GDPR Apply to US Companies?

GDPR is concerned with protecting the privacy of EU citizens and securing their data, so why are there GDPR requirements for US companies? The reason for GDPR is to give data subjects greater control over the information that is collected, stored, and used by others. It doesn’t matter where in the world an entity is located, if that entity does business with EU citizens that involves collecting or processing personal data they must comply with GDPR. Simply complying with existing data privacy and security regulations in the country in which the entity operates is not sufficient.

GDPR Requirements for US Companies

GDPR naturally applies to multi-national companies that have a base in the EU or do business in the EU, although simply closing an EU base is not sufficient to avoid compliance with GDPR. GDPR is about data not where an organization has a base.

An organization may decide not to do business with EU citizens to avoid having to comply with GDPR, but even that decision must be implemented correctly. If you maintain a website that uses cookies, and it can be accessed by EU citizens, GDPR applies.

GDPR also applies to organizations of all sizes. It doesn’t matter if you are a small one-person practice or a large organization with thousands of employees. If you collect or process data on EU citizens, GDPR compliance is not optional.

GDPR replaces the EU Data Protection Act of 1998, which placed responsibility only on the data controller, not processors of data. If you processed data for another company (the controller) it would be that company that had to comply with past regulations. GDPR applies to both processors and controllers – Both parties are now responsible for protecting the privacy rights of EU citizens.

GDPR defines personal data as “Any information relating to an identified or identifiable natural person.” That includes names, addresses, telephone numbers, email addresses, credit card details, financial information, medical information, posts on social media websites, and an individual’s IP address.

The rights afforded to EU citizens and the major GDPR requirements for US companies include:

Ensuring data is only collected when there is a legal and lawful reason for doing so.
Obtaining consent before personal data is collected, stored, or processed.
Obtaining consent from parents or legal guardians before children’s data is collected or processed.
Implementing controls to ensure the confidentiality of data is safeguarded.
Training employees on the correct handling of personal data.
Ensuring EU citizens’ right to be forgotten can be honored and that it is possible to permanently erase all collected data.
Ensuring EU citizens are informed about how their information will be collected and used, similar to the Notice of Privacy Practices required by HIPAA.
Making sure data transfers across borders occurs in accordance with GDPR regulations.
Putting data breach notification policies in place to ensure EU citizens receive notifications of a breach of their personal data.
It may also be necessary for organizations to appoint a Data Protection Officer. That individual must have a thorough understanding of GDPR requirements for US companies as well as the infrastructure and organization of their company.

What Do US Companies Need To Do Now to Ensure Compliance with GDPR?

The GDPR requirements for US companies depend on whether you are a data controller or data processor. Determine whether you are a controller, processor, or both.
Ensure you are aware of all data you collect or use, that you know where the data came from, every entity it has been shared with, and every location where it is stored. You must conduct a full audit, which can be a labor intensive and time-consuming process.
Determine whether you need to appoint a Data Protection Officer and designate a contact that will liaise with the GDPR supervisory body.
Develop consent and disclosure forms covering all possible uses of data.
Ensure you can detect, respond, and report on data breaches and have policies in place to notify EU citizens of those breaches.
Check your Notice of Privacy Practices and make sure it meets GDPR requirements.
Make sure your business associates and their subcontractors are aware of their requirements under GDPR.
Check your policies on data retention and make sure they meet GDPR requirements. There is a maximum time limit for the storage of data on EU citizens and data can only be kept until the purpose for which the information has been collected has been achieved.
If you transfer data across borders, you must ensure that GDPR requirements are satisfied.

What are the Penalties for Noncompliance with GDPR

Fail to meet GDPR requirements for US companies and you could be fined by the EU. The penalties for noncompliance with GDPR can be severe. A violation of GDPR can attract a fine of up to 20,000,000 Euros ($23,138,200) or 4% of the company’s annual global turnover, whichever is higher. That is far in excess of the penalties for HIPAA violations. However, that fine could be higher.

Becoming GDPR Compliant May Not be Straightforward

Since achieving compliance with GDPR may not be straightforward, meeting the May 25 deadline could be difficult, especially for any organization that has yet to develop their compliance program. Forward thinking companies started their compliance programs soon after the EU directive was finalized, although many firms have yet to begin.

According to figures from PwC, 68% of organizations have committed between $1 million and $10 million to meet GDPR requirements for US companies. 9% of US firms say they have allocated more than $10 million to GDPR compliance.

If you are unsure how GDPR affects your business, whether your compliance program is adequate, or if you don’t know where to start with GDPR compliance, it is strongly advisable to seek advice from compliance experts who can guide you through the process and ensure, come the deadline, your policies, procedures, systems, and data privacy and security practices are up to the standard required by the new EU Directive.

The post GDPR Requirements for US Companies appeared first on HIPAA Journal.

Latest News from Around the Web

Categories