The increasing amount of cybersecurity incidents cause a serious negative impact on enterprises, prompting legislators around the world to explore new policies and regulations. Certainly, the GDPR was one of the most popular topics in the last year (the report of the European Commission shows that in May 2018 Google inquiries for the GDPR were more popular than those related to Beyoncé and Kim Kardashian). Having finalized the initial GDPR implementation stage, companies have been proceeding to deal with the practical challenges related to the new requirements. One of them is reporting personal data breaches to a supervisory authority and notifying data subjects.
However, the GDPR is not the only binding act setting forth the obligation of notifying certain parties about breaches and incidents. Some countries followed the privacy protection “wave” and introduced their own data protection acts requiring similar breach notifications. There are also other acts, which do not focus only on personal data matters, but cover also notification procedures regarding breaches and incidents (for example, NIS Directive, PSD 2, and ePrivacy Directive as well as country-level acts and guidelines implementing the directives). The wide array of applicable rules (which is especially important for international businesses) might cause organizational problems and misunderstanding regarding the actions to be undertaken in case of a probable incident. Further, the terminology used in different situations varies. Some acts refer to breaches, some to incidents, and in each particular case, the meaning of the term used should be assessed within the context of the corresponding act.
In order to understand which steps should be taken in order to ensure proper incident or breach reporting in the EU, it is recommended to take into consideration the following aspects and summarize them for further use:
1. Requirements applicable to the company. Companies may be subject to certain legal obligations depending on different factors. For example, the applicability may vary when taking into consideration the territory where the company is incorporated or carries out its business activities, the character of the provided services or produced goods, and the clients or partners impacted by the company. For example, GDPR applies also to non-EU companies offering goods or services to the data subjects located in the EU, while the NIS Directive applies to network and information systems within the EU. As the EU Directives are usually implemented on a country level, the companies shall check their obligations against their country’s legislation. Additionally, it is recommended not to forget about acts such as criminal or administrative laws. In some countries, such documents also cover certain types of incidents that might impose reporting obligations.
2. Classification of the event. When it is clear which acts are binding on the company, it is necessary to understand which cases “trigger” the obligation to report the incident – namely, the types of information, systems, people that are impacted, and on which scale, and which level of risk the event falls under and whether this requires disclosure. For example, personal data and financial information systems operated by digital services providers or critical infrastructure might be impacted, but not necessarily require reporting in all cases.
3. Reaction time. The next step is to address the deadline for reporting different types of breaches or incidents. The statutory requirements for the deadlines might vary from several hours to several days or months, depending on the type of event.
4. Reporting. The scope of notification obligation might also be different. Some acts require reporting to authorities, such as personal data protection supervisory authorities, authorities similar to CERT (computer emergency response team), financial and telecommunication regulators, or police. Additionally, the company might be subject to the obligation to notify other impacted parties (clients, employees, cooperation partners).
5. Contents. The final step is to identify the information that will be reported based on the applicable requirements. It also is possible to use special reporting forms or the official template (if available). However, this does not mean that the company cannot collect any additional information for internal incident response purposes.
A summary of the above-mentioned information should be communicated in a way that is understandable to the people responsible for incident reporting in the company. However, the aforementioned activities are only the beginning, and the next task is to ensure that the reporting process is organized correctly and is carried out in appropriate fashion.