GDPR Compliance and Cybersecurity
The General Data Protection Regulation (GDPR) is a European privacy and data protection law that applies
to entities established in the EU or EEA countries and to foreign entities that process personal
data of European residents, while the UK GDPR essentially mirrors the EU GDPR.
What is GDPR and what does it mean for your business?
In May 2018, General Data Protection Regulation (GDPR, EU 2016/679) replaced the 95/46/EC Data Protection Directive, being the first comprehensive and overarching privacy law in the European Union (EU) and the European Economic Area (EEA). It provides individuals with enforceable rights to control how their personal data is being processed, used and shared by companies, organizations and public sector. GDPR is a holistic and complex law, composed of 99 articles and 173 recitals.
ImmuniWeb can help you comply with GDPR cybersecurity and data protection requirements. Learn more
Among other things, GDPR establishes a broad range of privacy rights for individuals (referred as data subjects) that are enumerated in the Articles 12-23 of the regulation. Many countries around the globe now follow the foundational privacy principles, privacy-by-design and privacy-by-default philosophy of GDPR, including PDPA in Singapore, LGPD in Brazil and CCPA in California.
GDPR imposes a wide spectrum of duties upon covered organizations, including robust protection of personal data, data breach disclosure and notification to victims, compliance with individual requests to exercise their privacy rights (e.g. right to be forgotten, right to object data processing, right for data portability), transparency, fairness and accountability for data processing. Monetary sanctions for non-compliance can be astronomically high (see below). Moreover, fines may be complemented with individual and class action lawsuits alongside criminal penalties in a member state that prosecutes violation.
Who is covered by GDPR regulation?
Virtually all commercial entities and non-profit organizations of any size that process personally identifiable data (PII) of EU residents are covered by the GDPR. Most governmental organizations, with narrow exceptions to law enforcement and national security agencies, are likewise covered by GDPR regardless of their size as unambiguously stated in Article 2 (“Material Scope”) of the GDPR. Furthermore, EU-based entities must always abide by GDPR even when processing PII of individuals residing abroad or when processing PII outside of the EU.
Article 3 (“Territorial Scope) of the GDPR makes it clear that the law applies extraterritorially: whenever an entity located outside of the EU processes PII of European residents, the entity must fully comply with GDPR. Those foreign entities that violate GDPR and ignore subsequent legal ramifications may face a default judgement, subsequent seizure of their assets in the EU and retention of incoming payments from their EU customers.
GDPR also applies to paper-based processing of PII, if such processing is a part of a filing system (e.g. CRM or ERP), as elaborated in the Section 1 of the Article 2.
What is the UK GDPR and what is the difference?
Technically speaking, after completion of Brexit on January 1, 2021, the United Kingdom became a third country for the purpose of the EU GDPR applicability and enforcement. Given the GDPR’s extraterritorial reach, the UK companies that process PII of EU residents, are still covered by the EU GDPR and have to comply with the regulation in the same manner as prior to the departure from the European Union. From a practical viewpoint, however, for most commercial entities in the UK, GDPR compliance requirements remain intact compared to 2020. Adequacy decision for the UK privacy regime is about to be granted by the European Commission in 2021, ensuring frictionless PII dataflow between the UK and the continent.
After Brexit, the UK’s European Union (Withdrawal) Act 2018 permitted to retain the EU GDPR as a part of national law in the UK, known as the UK GDPR. In 2018, the UK has also enacted a revised version of its national privacy law Data Protection Act 2018 (DPA 18). Under the same European Union (Withdrawal) Act, DPA 18 was amended on January 1, 2021 to reflect the non-EU status of the UK. Part 2 of the DPA 18 supplements and tailors the UK GDPR, while Part 3 and Part 4 cover PII data processing by the UK law enforcement and intelligence agencies.
Thus, the UK GDPR is almost identical to the EU GDPR and has essentially the same principles of data protection as its European sibling. In any case, the UK-based companies should be familiar both with the UK GDPR and DPA 18 that jointly regulate data protection and privacy across the country.
Who does enforce GDPR compliance?
According to the Article 51 (“Supervisory authority”) of GDPR, all member states (EU/EEA) must establish one or several independent public authorities (referred to as supervisory authorities) to monitor and enforce the regulation. Commonly, such authorities are called Data Protection Authorities (DPA).
For example, in France this regulatory and enforcement function is conferred to the Commission Nationale de l'Informatique et des Libertés (CNIL), in the Netherlands to the Dutch Data Protection Authority (DDPA), while in the UK to the Information Commissioner's Office (ICO) that remained the national authority to enforce UK GDPR after Brexit. Germany has a separate DPA in each of the 16 states (Länder).
National DPAs receive complaints from aggrieved individuals for violations of their privacy rights under GDPR, independently monitor for violations and enjoy virtually unrestrained investigatory and corrective authority pursuant to the Article 58 (“Powers”) of the regulation.
The European Data Protection Board (EDPB) is established by the Article 68 (“European Data Protection Board”) and is mainly tasked to produce advisory opinions and guidelines to the member states and bodies of the EU to ensure a consistent and harmonious application of GDPR across all member countries as defined in the Article 70 (“Tasks of the Board”). EDPB is composed of heads of the national DPAs and the European Data Protection Supervisor (EDPS). The European Commission (EC) may also participate at Board meetings but without a voting right.
What are the penalties for GDPR violations?
Sections 4 and 5 of the GDPR Article 83 (“General conditions for imposing administrative fines”) provide that violations of certain provisions of GDPR are punishable by administrative fines up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding financial year of the offender - whichever is higher.
Fines for data security and protection violations, discussed below, are comparatively lower and may go up to 10,000,000 EUR or 2% of the total worldwide annual turnover of the preceding financial year of the offender - whichever is higher.
In addition to harsh fines, aggressively imposed by national DPAs, the individuals, whose privacy rights under GDPR were violated, may file a civil lawsuit in its country of residence or employment claiming financial compensation for material or non-material damage pursuant to the Article 82 (“Right to compensation and liability”) of GDPR.
Importantly, EU member states may leverage Article 84 (“Penalties) of the GDPR to supplement the above-mentioned administrative fines with criminal penalties, under their national law, going up to imprisonment. Many EU countries, including Austria, France and Germany criminalized intentional mishandling of PII.
What are the recent GDPR enforcement cases?
As of April 2021, European DPAs issued over 500 fines surpassing 277 million EUR in total.
The largest fines for insufficient data security or delayed data breach notifications were imposed upon Marriott International and British Airways after they suffered large-scale data breaches.
National DPAs also have authority to limit or permanently ban PII processing by a covered organization, compel an organization to disclose a data breach, order an organization to implement necessary technical and organizational steps to ensure compliance with GDPR, and oblige an organization to rectify or delete PII in its possession. In minor cases, DPA may also issue a warning or reprimand that will, however, be an aggravating circumstance for future violations of DPA and may trigger higher penalties.
What are the cybersecurity requirements under GDPR?
The Article 4 (“Definitions”) of the GDPR creates the notion of “data controller” and “data processor”. In a nutshell, a controller decides how to process PII of data subjects, while a processor merely follows specific processing instructions received from the controller. One organization may simultaneously be a controller and processor.
Section 1 (f) of the Article 5 (“Principles relating to processing of personal data”) sets a broad and comprehensive standard of data protection, stating that PII shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).”
Under GDPR, both controllers and processors must implement mandatory organizational and technical requirements for PII protection outlined in the Article 32 (“Security of processing”). This includes risk assessment, adoption of internal security policies, data protection by design and data protection by default. GDPR is inspired by a risk-based model of cybersecurity: the more sensitive data an organization handles, the higher security standards it must implement.
Section 1 (b) of the Article 32 emphasizes that security is a continuous process mandating “ongoing confidentiality, integrity, availability and resilience of processing systems and services” for data processors and controllers regardless of their size and quantity of PII they process. Some SMEs naively believe that they are exempt from GDPR’s security requirements, but they are not.
Then, Section 1 (d) of the Article 32 highlights the importance of regular security testing by imposing “a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” Additional information can be found in GDPR Recitals 75-79 and 83.
Article 25 (“Data protection by design and by default”) of GDPR imposes general duties and obligations on controllers, such as data minimization and implementation of risk-based security controls proportional to reasonably foreseeable threats.
EDPB guidelines on “Data Breach Notification (01/2021)” expressly suggest the following examples of security controls required to comply with GDPR data protection requirements:
- Implement a proper patch management;
- Perform a systematic website security audit;
- Use appropriate anti-malware detection system;
- Run vulnerability and penetration testing on a regular basis;
- Run systematic IT security audits and vulnerability assessments;
- Disable open cloud services.
ImmuniWeb can help you comply with GDPR cybersecurity and data protection requirements. Learn more
What are the data breach notification requirements under GDPR?
GDPR introduces a mandatory data breach notification regime by virtue of the Article 33 (“Notification of a personal data breach to the supervisory authority”). Processors must notify controllers (see above) about any data breaches without undue delay that is usually considered to be a matter of hours, not days.
Data controllers must notify competent DPA as soon as possible but not later than in 72 hours after detection of the breach. Importantly, there is an implied duty to detect breaches and reportable security incidents as swiftly as practical: late detection is no defense and will likely trigger harsh penalties for failure to comply with the data breach notification requirement. There are some narrow exceptions to the notification rule, for example, when all stolen PII data is encrypted with a strong encryption and the key is not compromised. The best practice is, however, to always get in touch with a competent DPA, most of which have standard data breach notification forms. All data breaches, regardless of whether they are reportable or not, must be recorded internally in a data breach register.
Article 34 (“Communication of a personal data breach to the data subject”) of GDPR governs data breach notification to victimized data subjects whose PII was lost, stolen, exposed, destroyed or otherwise compromised. Section 3 of the same article provides some narrow exceptions, similar to the mentioned above, but relying on them is akin to smoking on a powder keg.
What are the supply chain security requirements under GDPR?
EDBP elaborated the bilateral relationship between data controllers and data processors in the comprehensive guidelines on the “Concepts of Controller and Processor in the GDPR (07/2020)”.
GDPR imposes a wide range of duties related to supply chain and third-party risk management when the third parties process PII of covered data subjects. The main duties of processors, among other things, include the same level of data security and protection as imposed by the Article 32 of the regulation, breach notification duty described above, restriction of PII sub-processing, training and vetoing of personnel who has access to the PII, strict compliance with data processing instructions received from the data controller, and secure deletion of PII once the processing contract is terminated. Data controller has a duty and must prescribe these duties in a contract with all suppliers who has access to personal data regulated by the virtue of GDPR.
Article 28 (“Processor”) of the regulation unambiguously says, “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation.” From a data protection viewpoint, it means that controller is responsible and will likely be held legally liable for bad security practices of its processors and sub-processors. Aggrieved individuals may file civil lawsuits both against data controllers and processors.
GDPR Recital 81 underlines security obligations of processors that must be thoroughly verified and regularly audited by data controllers: “controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organizational measures which will meet the requirements of this regulation, including for the security of processing.” Similarly, processors are fully liable to data processor and data subjects for security of their sub-processors.
In practical terms, organizations covered by GDPR are also required to design and continuously improve a third-party risk management program to minimize threats stemming from supply chain attacks on their processors (e.g. cloud providers, security and IT vendors, marketing agencies, consulting companies, external call centers). Otherwise, they may end up paying a fortune in fines for someone’s else negligence.