In May 2018, data protection law in the European Union (EU) will be forever altered as the General Data Protection Regulation (GDPR) becomes enforceable. The GDPR is taking the place of the 1995 EU Data Protection Directive and is strengthening security and privacy as it relates to EU citizens and their personal data. The GDPR introduces many new requirements that will push organizations to comply with better data collection practices. One new requirement mandates that companies must notify appropriate authorities and individuals of a personal data breach within 72 hours (GDPR Art. 33). This post is going to take a closer look at what is involved with a breach notification and the steps JumpCloud would take should a breach occur.
Before diving into the breach notification component of the GDPR, consider exploring this site if you need to familiarize yourself with the GDPR, or brush up on some the GDPR terminology here. Now, we’ll explain what the GDPR means when it comes to breach notification.
When a data breach occurs that might affect the rights and freedoms of individuals, the GDPR requires controllers to notify appropriate individuals and supervisory authorities without undue delay and no later than 72 hours after the breach is discovered. If a processor discovers a personal data breach, they must notify the controller without undue delay (GDPR Art. 33). When a controller notifies the supervisory authority, the notification must include the following:
- The nature of the personal data breach including – when possible – the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
- The contact information of the data protection officer or contact point where more information can be obtained.
- A description of the likely consequences of the personal data breach.
- A description of what the controller is doing, or going to do, to address the data breach and its possible harmful effects.
If the controller is unable to provide all of the information at once, controllers can provide the information in phases, but as quickly as possible.
When a breach requires controllers to notify the affected individuals, the notification must at least include points 2, 3, and 4 from the list mentioned above. There are a few conditions where a controller is not required to notify the data subjects (GDPR Art. 34). These include:
- The compromised data was encrypted or is unintelligible to any unauthorized person who accesses it.
- The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
- Notifying data subjects would require too large of an effort. In this case, a public statement or similar measure must be made to inform all data subjects involved.
If controllers and processors fail to notify the appropriate authorities and individuals, they could be fined up to $11.9 million or 2% of their global turnover. So to ensure GDPR compliance, it is crucial to have robust breach detection, investigation, and internal reporting procedures in place. Having these procedures in place can assist you with this new component to data protection law and the quick turnaround that it requires.
JumpCloud’s Approach to the GDPR’s Breach Notification
First, JumpCloud takes a number of steps to prevent a data breach. These include granting access to our technical infrastructure (which securely holds personal data) to only personnel with a verified and documented business need; encrypting all data at rest and in flight; utilizing monitoring software to track all user logins and privileged commands; and enforcing secure authentication methods like MFA and password complexity.
Should JumpCloud suspect a data breach, the company and its technical personnel follow a specific incident response plan and policy. This plan will determine in short order whether a breach has actually occurred, what data has been affected, who is impacted, and what the potential consequences are. If JumpCloud should determine that a breach has occurred, JumpCloud will notify all data subjects within 72 hours of becoming aware of a breach.
Security is a core component to JumpCloud’s Directory-as-a-Service®, and we work very hard to ensure your data is well protected. You can find out more about our security practices here. If you have any questions about GDPR compliance and the breach notification component, please reach out to us. If some of our security features like MFA and password complexity have piqued your interest, feel free to test them out for yourself by signing up for a free account. Your first ten users are free forever.