In the modern day, data breaches by companies are taken extremely seriously, but even more so by regulatory bodies, fines can run in the tens if not hundreds of millions. For especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.
What is a data breach and what do we have to do in case of a data breach?
A data breach occurs when the data for which your company/organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, your company/organisation has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach. If your company/organisation is a data processor it must notify every data breach to the data controller.
If the data breach poses a high risk to those individuals affected then they should all also be informed, unless there are effective technical and organisational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.
As an organisation it is vital to implement appropriate technical and organisational measures to avoid possible data breaches.
Personal data breaches in the Dubai International Financial Centre
The Data Protection Law came into force on 1 July 2020.
The Dubai International Financial Centre (‘DIFC’) has issued a new DIFC Data Protection Law, DIFC Law No. 5 of 2020 (‘DIFC Data Protection Law’). The DIFC Data Protection Law replaces the previous DIFC data protection law, DIFC Law No. 1 of 2007.
Modelled on Europe’s General Data Protection Regulation (‘GDPR’), the DIFC Data Protection Law provides enhanced standards and controls for the processing and movement of personal data by controllers and processors and protects the fundamental rights of data subjects. One purpose of the DIFC Data Protection Law is to protect the fundamental rights of data subjects, including how such rights apply to the protection of personal data in emerging technologies.
In this article, we explore the obligations on ‘controllers’ (i.e. entities that control the processing of personal data) and ‘processors’ (i.e. entities that process personal data under the direction of a controller) to notify the DIFC Data Protection Commissioner, and affected data subjects, in the event of personal data breach incidents.
Guarding against personal data breaches
Guidance issued by the Commissioner of Data Protection sets out that controllers and processors should consider the following matters with regards to enhancing information security and protecting against personal data breaches:
- What are the biggest areas for security breach or unauthorised data access or loss?
- Are physical security measures considered in information security policies?
- How are the staff trained about breaches, reporting, and incident management?
- Is there an incident management policy?
Controllers and processors should prepare an incident response plan to ensure the correct procedures are followed to reduce the risk of personal data breaches, and to know what to do if a breach incident occurs. The incident response plan should be aligned to the personal data breach requirements in the DIFC Data Protection Law.
Controllers and processors should ensure they provide specific DIFC Data Protection Law training to personnel, including training focussed on data breach incidents. Such training will assist personnel in recognising data breach incidents, which can take a variety of forms, ranging from inadvertently sending an email to the wrong recipient through to sophisticated hacking events.
Notification to the DIFC Commissioner of Data Protection
The DIFC Data Protection Law sets out that if there is a personal data breach that compromises a data subject’s confidentiality, security or privacy, the controller involved shall, “as soon as practicable” in the circumstances, notify the personal data breach to the DIFC Commissioner of Data Protection. If a processor discovers a personal data breach, the processor is required to notify the relevant controller without undue delay.
The notification to the Commissioner should:
- Describe the nature of the personal data breach, including (where possible) the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- Communicate the name and contact details of the Data Protection Officer (where applicable) or other contact point where more information can be obtained;
- Describe the likely consequences of the personal data breach; and
- Describe the measures taken, or proposed to be taken, by the controller to address the personal data breach, including (where appropriate measures to mitigate its possible adverse effects).
Notification to data subjects
When a personal data breach is likely to result in a high risk to the security or rights of a data subject, the controller shall communicate the personal data breach to an affected data subject as soon as practicable in the circumstances. If there is an immediate risk of damage to the data subject, the controller shall promptly communicate with the affected data subject in clear and plain language containing the following information (at the least):
- The nature of the personal data breach;
- The name and contact details of the Data Protection Officer (where applicable) or other contact point where more information can be obtained;
- The likely consequences of the personal data breach; and
- The measures taken, or proposed to be taken, by the controller to address the personal data breach, including (where appropriate, measures to mitigate its possible adverse effects.
The Commissioner has the option to communicate the personal data breach to the data subjects where there is a high risk to the security or rights of the data subjects involved, or otherwise direct the controller to make a public communication disclosing that the personal data breach has occurred.
What are the disadvantages of GDPR non-compliance?
The severity for businesses to adhere to the GDPR doesn’t just go as far as astronomical fines, but could in severe cases, result in a prison sentence for company directors. Kingsley Napley the internationally recognised law firm reports that this could be the case if the business in question has lost personal data due to weaknesses in the security set up of the business or if data has been stolen from within the business.
Pt2 to follow…..
Leave a Reply