What is GDPR?
The General Data Protection Regulation (GDPR) which came into effect on the 25th May 2018, imposes a new set of security requirements designed to protect personal data. These requirements are based on the experience of data protection authorities and understanding of the digital environments where cyber-criminals trade personal data.
It states that any organisation that collects data from EU residents or processes such information (e.g. cloud service providers) must apply security measures and safeguards to implement the necessary data protection standards.
Lack of Compliance means serious consequences
- The fine for non-compliance is up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
- GDPR non-compliance will lead to a formal investigation that will be made public, and a mandatory requirement to communicate to your own customers about the nature of the breach.
- Can result in Reputational loss.
What is considered a breach under GDPR Scheme?
According to GDPR a data breach arises from the following three types of breaches
- “Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or
access to, personal data.
- “Availability breach” - where there is an accidental or unauthorised loss of access to, or
destruction of, personal data.
- “Integrity breach” - where there is an unauthorised or accidental alteration of personal data
72 hour notification requirement of GDPR.
One of the more notable provisions of the GDPR is Article 33 or the mandatory 72-hour breach reporting requirement. Article 33 dictates that, in the event of a personal data breach, data controllers notify the appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it".
Conditions where notification is not required.
- Article 33 makes it clear that breaches that are “unlikely to result in a risk to the rights and freedoms of natural persons” do not require notification to the supervisory authority.
- The breached data is encrypted and the keys are not compromised. Thus, the breach is unlikely to adversely affect individuals and therefore would not require communication to those individuals.
e-Safe protects data and prevents breaches as defined under GDPR
Having just 72 hours to gather and report information related to a data breach is a significant undertaking for any organisation that requires development and provisioning of a comprehensive containment plan. Classification of sensitive data and clear visibility of what was lost is a key requirement when identifying a breach and taking necessary remedial actions.
e-Safe Compliance not only satisfies this requirement, but also provides the necessary data protection that can prevent breaches from happening in the first place.
e-Safe covers all 3 breach types as defined by GDPR in 3 simple steps
Step 1. Discovers and classifies sensitive data. Sensitive data is discovered and classified from various sources including ERP/CRM systems, databases and network drives.
Step 2. Sensitive data is protected from breach or loss using encryption. This ensures data remains:
1. protected from unauthorised disclosure.
2. protected in the event of a loss.
3. secured from unauthorised access by both internal and external users.
4. protected when shared with authorised 3rd parties
Step 3. Provides data breach monitoring and alerting. Monitors the access, deletion, modification and movement of sensitive data on all corporate and non-corporate channels and alerts if it is breached.