In May 2018, data protection law in the European Union (EU) will be forever altered as the General Data Protection Regulation (GDPR) becomes enforceable. The GDPR is taking the place of the 1995 EU Data Protection Directive and is strengthening security and privacy as it relates to EU citizens and their personal data. The GDPR introduces many new requirements that will push organizations to comply with better data collection practices. One new requirement mandates that companies must notify appropriate authorities and individuals of a personal data breach within 72 hours (GDPR Art. 33). This post is going to take a closer look at what is involved with a breach notification and the steps JumpCloud would take should a breach occur.
Before diving into the breach notification component of the GDPR, consider exploring this site if you need to familiarize yourself with the GDPR, or brush up on some the GDPR terminology here. Now, we’ll explain what the GDPR means when it comes to breach notification.
When a data breach occurs that might affect the rights and freedoms of individuals, the GDPR requires controllers to notify appropriate individuals and supervisory authorities without undue delay and no later than 72 hours after the breach is discovered. If a processor discovers a personal data breach, they must notify the controller without undue delay (GDPR Art. 33). When a controller notifies the supervisory authority, the notification must include the following:
- The nature of the personal data breach including – when possible – the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
- The contact information of the data protection officer or contact point where more information can be obtained.
- A description of the likely consequences of the personal data breach.
- A description of what the controller is doing, or going to do, to address the data breach and its possible harmful effects.
If the controller is unable to provide all of the information at once, controllers can provide the information in phases, but as quickly as possible.
When (Read more...)
*** This is a Security Bloggers Network syndicated blog from JumpCloud authored by Natalie Bluhm. Read the original post at: https://jumpcloud.com/blog/gdpr-jumpcloud-breach-notification/