New EU Data Breach deadline - are you prepared?

New EU regulations are coming into force that may compel organisations becoming aware of a data breach to report it within 72 hours of the breach being discovered. Do you have a policy in place for this if the worst should happen to your data?

Under the new proposals, which form part of the EU Cybersecurity Directive, any organisation that holds data about EU residents will have to inform data protection regulators and also any customers affected by a breach of security within the deadline or face hefty fines. The fine could be as much as two per cent of a company’s global revenue (to a maximum of € 1million) depending on how severe the breach is.

The rules, which are still being negotiated, are expected to take effect by 2018.

It’s also worth noting that the legislation also suggests that data processors can be found directly liable for any fines and claims made by data subjects; if the data controller proves that it was not responsible for the event giving rise to the breach, the processor of the data may find themselves with a large fine instead. A data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller. So if a utilities company employs a smaller, independent call centre to call its customers, and the call centre is responsible for a breach of security, the call centre would be likely to be the organisation getting penalised if the owner of the data (the larger company) can prove it had policies in place to inform the authorities within the deadline, and had made the processor aware of them.

Some company executives feel that the deadline is harsh; US rules require data breaches to be reported within a month and the regulations will affect companies all over the world if they operate in an EU country. Other privacy experts believe that the move may be counter-productive because if the breach/hacking hasn’t been rectified before the 72 hours is up, revealing it to the public and the authorities before a solution is found could expose the company involved to attacks from more hackers, eager to find and exploit a vulnerability.

Meanwhile, others believe that the regulations will actually make it easier for companies to inform privacy authorities, as they only have to inform one of the 28 authorities and not all of them, and force affected organisations to deal with data breaches immediately. Advocates agree that having a mandatory notification process in place also stops companies from hiding serious data breaches and putting their customers at further risk.

Is your company ready to deal with the new regulations when they come in? How will you ensure that your staff are up to speed on what they must do in case of a data breach? If you’re unsure of how the new regulations will affect your business, contact me and I will be delighted to   provide you with guidance and advice.