The GDPR will come into force from 25 May 2018 when it will replace the existing EC Data Protection Directive, bringing new legal rights for individuals, extending the scope of responsibilities for data controllers and processors and enhancing the regime for enforcement to include the risk of fines at up to 4% of an organisation's worldwide annual turnover.
The new regulation is in fact a major change in privacy and data protection, with many areas to be affected.
Data Breach Definition
The new regulation has a very broad definition for data breach which refers to: “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” Also the European definition of “personal data” has a very broad sense, defining any data that can be directly or indirectly associated with a living individual.
Data Breach Reporting
With GDPR data breaches that pose a risk of harm to individuals’ rights and freedoms must be reported within 72 hours of of becoming aware of the breach. Companies will therefore need to ensure that they have adequate monitoring systems and data collation processes in place.
Timing of the notifications
Companies experiencing a notifiable breach of EU personal data after May 25, 2018, must make notifications “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” Recognizing companies may not know many definitive facts within 72 hours of detecting an incident, the GDPR authors allow that notifications “may be provided in phases.”
Recipients of notifications
In the GDPR, If a breach of EU personal data poses a risk to the rights and freedoms of individuals, the company must notify its lead data-protection authority (DPA). If the breach poses a high risk to individuals, the company must also notify them.
Content of the notifications
EU data-breach letters must specify the nature of the data categories compromised, the number of data subjects affected, the name of the company’s data protection officer (DPO), contact information for individuals to learn further information, likely consequences for the data subjects, and measures taken to reduce risk to individuals.
Obligations for processors to notify
One of the most significant changes brought in by the GDPR is that it places direct obligations on data processors for the first time. Data processors are required to report directly to their clients data breaches involving their data without undue delay after becoming aware. While data processors could have a variety of business models, the provisions which will apply to them in respect of the processing of client personal data are the same.