SlideShare uma empresa Scribd logo

GDPR: Data Breach Notification and Communications

Transferir como PPTX, PDF
Charlie Pownall
Charlie Pownall

An introduction to data breach notification and communications requirements under the EU's GDPR, and what it means for communicators and reputation managers

Negócios
1 de 23
CPC& GDPR: DATA BREACH NOTIFICATION & COMMUNICATIONS AN INTRODUCTION © Charlie Pownall/CPC & Associates 2017. All rights reserved January 2018
2 Overview • Governs the way organisations across the EU process, store, and protect customers’ personal data – Takes effect on May 25, 2018 • Replaces national legislation, complementary to other EU legislation – NISD/Cybersecurity Directive, 2016 (for Essential Service/Digital Service Providers) – Privacy and Electronic Communications Directive, 2003 – E-Privacy Directive, 2018 (digital marketing, cookies) • Broad definition of personal data – PII: name, date of birth, gender, height, weight, telephone number, postal address, email address, passport number, social security number, driving license number, IP address, location data, cookie data, RFID tags – Sensitive or SPII: medical, genetic, biometric, race, ethnicity, political or religious beliefs, sexual preference CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
3 Overview (2) • Companies must set ‘reasonable’ levels of protection of personal data – Data Protection Officers – Data Protection Impact Assessments – Codes of Conduct – Anonymisation, pseudonymisation, encryption • Strengthens personal rights of EU citizens, including: – Data access – Rectification – Erasure (cf. Right to be Forgotten - pdf) – Portability – Objection – etc CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
4 Overview (3) • Requires organisations to notify a breach – To regulator: where it is likely to result in a risk to the rights and freedoms of individuals – To affected individuals: where it is likely to result in a high risk to their rights and freedoms • Applies to all organisations across operating in and/or collecting personal data in the EU • Tiered fines up to EUR 10m or 2% of annual turnover • Regarded as international gold standard CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
5 Transparency obligations Data protection-related information and communications must be: – Concise, transparent, intelligible and easily transparent – Easily accessible – Clear and in plan language – In writing or by other means – May be provided orally – Free of charge CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
6 Data breach notification – regulator • Mandatory notification within 72 hours of discovery of a breach – To the relevant competent supervisory authority/regulator – ‘Without undue delay’ for data processors – Reasons for any delay beyond 72 hours must be explained • If the breach poses a likely risk/high risk to the rights and freedoms of individuals – Physical, material or non-material damage – Loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy – Other significant economic or social disadvantage to impacted individuals CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
7 Data breach notification (2) • ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ * • Types of personal data breaches CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Breach type Description Confidentiality Unauthorised or accidental disclosure of, or access to, personal data Availability Accidental or unauthorised loss of access to, or destruction of, personal data Integrity Unauthorised or accidental alteration of personal data * Source: GDPR Article 4(12)
8 Data breach notification requirements Notification to supervisory authority should contain: • Categories and approximate number of individuals involved • Categories and approximate number of personal records involved • Name and contact details of Data Protection Officer or other contact point • Description of the likely consequences of the breach • Description of the measures taken, or proposed to be taken, to address the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
9 Data breach notification - exceptions • If the personal data is unintelligible and where a copy or back-up exists • Where personal data is already publicly available • If notification is considered ‘disproportionate’ to the actual or potential damage CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
10 Data breach notification - grey areas CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Timing • Level of risk • Loss of data availability
11 Timing CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised – Scenario 1: In the case of a loss of a CD with unencrypted data it is often not possible to ascertain whether unauthorised persons gained access. Nevertheless, such a case has to be notified as there is a reasonable degree of certainty that a breach has occurred; the controller would become “aware” when it realised the CD had been lost. – Scenario 2: A third-party informs a controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure – Scenario 3: A controller detects that there has been a possible intrusion into its network. The controller checks its systems to establish whether personal data held on that system has been compromised and confirms this is the case – Scenario 4: A cybercriminal contacts the controller after having hacked its system in order to ask for a ransom.
12 Timing (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Delayed notification – Reason for delay must be explained if not made within 72 hours – Scenario: where a controller experiences multiple, similar confidentiality breaches over a short period of time, leading to a ‘bundled notification’ • Breaches in more than one EU state – Controller should notify the relevant lead supervisory authority – Example: Facebook to notify the supervisory authority in the Republic of Ireland of breaches impacting personal data across multiple EU states • For data processors – Recommends immediate notification by processor to data controller – The controller is considered aware once the processor has become aware
13 Timing (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Customer/affected individuals notification – Is required ‘in certain cases’ – ie. if special categories of personal data are disclosed online and/or where there is a high risk to rights and freedoms of the individuals impacted – The principal objective is ‘to provide specific information about steps [affected individuals] can take to protect themselves’ • Contacting individuals – Information should be communicated directly • Email, SMS, direct message, prominent website banners or notification, postal communications, print media advertisements – Press release or corporate blog post is considered inadequate – Should not accompany other information (newsletters, etc) – Should be in the relevant local language – Supervisory authority can be contacted for advice on appropriate channels and formats
14 Data breach notification information Notification to affected individuals should contain at least the following information: • Description of the nature of the breach • Name and contact details of data protection officer or other contact point • Description of the likely consequences of the breach • Description of measures taken, or proposed to be taken, to address the breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
15 Level of risk CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Determination of level of risk to the rights and freedoms of individuals – Risk exists: identity theft or fraud, financial loss, damage to reputation, discrimination, emotional distress, etc – High risk exists: racial or ethnic data, political opinion, religion or philosophical beliefs, trade union membership, genetic data, health, sex life, criminal convictions and offences • Type of breach – eg. Confidentiality vs availability breach • Nature, sensitivity and volume of personal data – Isolated data may cause harm, but different kinds of data can be used together for data theft, fraud, etc – Data indicating customers are on holiday
16 Level of risk (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Ease of identification of individuals – Ease with which individuals can be identified directly or indirectly by matching data with other information – Identification may depend on the context and type of breach • Severity of consequences to individuals – Motivation of and trust in people or organisation(s) finding and/or using the data – Likely impact over time for individuals • Special characteristics of the individual – Children and vulnerable individuals are at greater risk • Special characteristics of the data controller – eg. medical organisations
17 Loss of availability CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Permanent vs temporary loss of availability – Where data has been deleted either accidentally or by an unauthorised person, or, in the example of securely encrypted data, the decryption key has been lost. In the event that the controller cannot restore access to the data, for example, from a backup, then this is regarded as a permanent loss of availability. – Significant disruption to the normal service of an organisation, for example, experiencing a power failure or denial of service attack, rendering personal data unavailable, either permanently, or temporarily. • Notification of temporary breaches – If critical medical data about (hospital) patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled. – Conversely, in the case of a media company’s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals’ rights and freedoms.
18 Loss of availability (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Other impacts – Infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid) could lead to a temporary loss of availability if the data can be restored from backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.
1. Understand GDPR scope and principles, and notification requirements, grey areas and best practices – How GDPR relates to other EU and national data protection laws and obligations – Legal updates, relevant European Commission/UK ICO GDPR working parties 2. Educate Leadership, Legal, IT, security and other stakeholders – Customer and stakeholder privacy needs and expectations – Cyber/data breach reputation trends, risks and impact – Role of communications in data breach preparation and response 3. Ensure PR/communications is formally represented on relevant company committees and teams – GDPR, Data breach, Cybersecurity, etc 19 For PR/communications teams CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
4. Work closely with Legal, IT and security to develop or update company cyber/data breach response plans – Assess and prioritise different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted – Develop communication plans for different types of data breach, including key messages, priority and secondary audiences, order and timing (regulators, customers, employees, investors, etc), format, channels – Consider the reputational risks of not disclosing different data breach risks, taking into account: • The risks of actual or perceived cover-up • Likely negative customer and stakeholder reaction • Possibility of regulator investigation – Ensure your response plans are comprehensive, clear, practical, and fit for purpose 20 For PR/communications teams (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
21 For PR/communications teams (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved 5. Test and update your plans regularly – Protocols and processes – Messaging and content – Digital/social media dialogue and feedback – Leadership and team dynamics.
22 Useful resources CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Documents • General Data Protection Regulation • Article 29 Working Party - Guidelines on Data Breach Notification • Article 29 Working Party - Guidelines on Data Protection Impact Assessment • ENISA - Data Breach Severity Methodology Organisations • European Commission • UK ICO • The Law Society • CIPR • IAPP
23 Further Information +44 20 3856 3599 +44 (0)7973 379 989 cp@charliepownall.com charliepownall.com © Charlie Pownall/CPC & Associates 2017. All rights reserved CPC&

Recomendados

Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRPriyab Satoshi
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Data protection
Data protectionData protection
Data protectionRaviPrashant5
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
GDPR
GDPRGDPR
GDPRGopi PD
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 

Recomendados

Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRPriyab Satoshi
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Data protection
Data protectionData protection
Data protectionRaviPrashant5
 
Introduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityIntroduction to Data Protection and Information Security
Introduction to Data Protection and Information SecurityJisc Scotland
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
GDPR
GDPRGDPR
GDPRGopi PD
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationSudarsan Reddy
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRCharlie Pownall
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and SecurityAnuMarySunny
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for DummiesCaroline Boscher
 
DPIA
DPIADPIA
DPIAMartyn Ripley
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure ComplianceAIIM International
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
The Role of Data Governance in a Data Strategy
The Role of Data Governance in a Data StrategyThe Role of Data Governance in a Data Strategy
The Role of Data Governance in a Data StrategyDATAVERSITY
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?MediaPost
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 

Mais conteúdo relacionado

Mais procurados

Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRCharlie Pownall
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and SecurityAnuMarySunny
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure ComplianceAIIM International
 
The Role of Data Governance in a Data Strategy
The Role of Data Governance in a Data StrategyThe Role of Data Governance in a Data Strategy
The Role of Data Governance in a Data StrategyDATAVERSITY
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy IntroductionG Prachi
 

Mais procurados (20)

Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
How to handle data breach incidents under GDPR
How to handle data breach incidents under GDPRHow to handle data breach incidents under GDPR
How to handle data breach incidents under GDPR
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and Security
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
DPIA
DPIADPIA
DPIA
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
The Role of Data Governance in a Data Strategy
The Role of Data Governance in a Data StrategyThe Role of Data Governance in a Data Strategy
The Role of Data Governance in a Data Strategy
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 

Semelhante a GDPR: Data Breach Notification and Communications

GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?MediaPost
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...Financial Poise
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Dione McBride, CISSP, CIPP/E
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)Napier University
 
Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrityAxon Lawyers
 
Webinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRWebinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRpanagenda
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Lisa Abe-Oldenburg, B.Comm., JD.
 
New Data Breach Regime, Privacy & Confidentiality
New Data Breach Regime, Privacy & ConfidentialityNew Data Breach Regime, Privacy & Confidentiality
New Data Breach Regime, Privacy & ConfidentialityColeman Greig Lawyers
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension Inc.
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceCobweb
 
Engage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To GoEngage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To Gopanagenda
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkPECB
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 

Semelhante a GDPR: Data Breach Notification and Communications (20)

GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat... Introduction to EU General Data Protection Regulation: Planning, Implementat...
Introduction to EU General Data Protection Regulation: Planning, Implementat...
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)
 
Data protection and data integrity
Data protection and data integrity Data protection and data integrity
Data protection and data integrity
 
Webinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPRWebinar: An EU regulation affecting companies worldwide - GDPR
Webinar: An EU regulation affecting companies worldwide - GDPR
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
 
New Data Breach Regime, Privacy & Confidentiality
New Data Breach Regime, Privacy & ConfidentialityNew Data Breach Regime, Privacy & Confidentiality
New Data Breach Regime, Privacy & Confidentiality
 
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
POPI Seminar FINAL
POPI Seminar FINALPOPI Seminar FINAL
POPI Seminar FINAL
 
Engage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To GoEngage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To Go
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360
 

Mais de Charlie Pownall

TalkTalk Data Breach Case Study
TalkTalk Data Breach Case StudyTalkTalk Data Breach Case Study
TalkTalk Data Breach Case StudyCharlie Pownall
 
Maersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case StudyMaersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case StudyCharlie Pownall
 
Risky Business: The Whys and Hows of Effective Reputational Risk Management
Risky Business: The Whys and Hows of Effective Reputational Risk ManagementRisky Business: The Whys and Hows of Effective Reputational Risk Management
Risky Business: The Whys and Hows of Effective Reputational Risk ManagementCharlie Pownall
 
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital AgePlans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital AgeCharlie Pownall
 
Boxing Clever: How to Safeguard your Company's Reputation Online
Boxing Clever: How to Safeguard your Company's Reputation OnlineBoxing Clever: How to Safeguard your Company's Reputation Online
Boxing Clever: How to Safeguard your Company's Reputation OnlineCharlie Pownall
 
Building Trust and a Healthy Reputation from the Get-go
Building Trust and a Healthy Reputation from the Get-goBuilding Trust and a Healthy Reputation from the Get-go
Building Trust and a Healthy Reputation from the Get-goCharlie Pownall
 
An Introduction to The New Crisis Communications
An Introduction to The New Crisis CommunicationsAn Introduction to The New Crisis Communications
An Introduction to The New Crisis CommunicationsCharlie Pownall
 
Managing Online Reputation. How to Protect Your Company on Social Media
Managing Online Reputation. How to Protect Your Company on Social MediaManaging Online Reputation. How to Protect Your Company on Social Media
Managing Online Reputation. How to Protect Your Company on Social MediaCharlie Pownall
 
No Time to Think. How to Respond to Negative Situations Using Social Media
No Time to Think. How to Respond to Negative Situations Using Social MediaNo Time to Think. How to Respond to Negative Situations Using Social Media
No Time to Think. How to Respond to Negative Situations Using Social MediaCharlie Pownall
 
Issues Management In The Digital Age
Issues Management In The Digital AgeIssues Management In The Digital Age
Issues Management In The Digital AgeCharlie Pownall
 
Social Media for Crisis Communications
Social Media for Crisis CommunicationsSocial Media for Crisis Communications
Social Media for Crisis CommunicationsCharlie Pownall
 
Online Community Engagement For Government
Online Community Engagement For GovernmentOnline Community Engagement For Government
Online Community Engagement For GovernmentCharlie Pownall
 
How To Develop Social Media Strategy
How To Develop Social Media StrategyHow To Develop Social Media Strategy
How To Develop Social Media StrategyCharlie Pownall
 
Safeguarding Corporate Reputation In Social Media
Safeguarding Corporate Reputation In Social MediaSafeguarding Corporate Reputation In Social Media
Safeguarding Corporate Reputation In Social MediaCharlie Pownall
 
Top Social Media #Fails in Asia - 2013
Top Social Media #Fails in Asia - 2013Top Social Media #Fails in Asia - 2013
Top Social Media #Fails in Asia - 2013Charlie Pownall
 
Social Media for Thought Leadership
Social Media for Thought LeadershipSocial Media for Thought Leadership
Social Media for Thought LeadershipCharlie Pownall
 
How to Minimise Social Media Marketing Risks
How to Minimise Social Media Marketing RisksHow to Minimise Social Media Marketing Risks
How to Minimise Social Media Marketing RisksCharlie Pownall
 
Digital Influence: Communications Nirvana?
Digital Influence: Communications Nirvana?Digital Influence: Communications Nirvana?
Digital Influence: Communications Nirvana?Charlie Pownall
 
Social Engagement. 15 Tips From The Trenches
Social Engagement. 15 Tips From The TrenchesSocial Engagement. 15 Tips From The Trenches
Social Engagement. 15 Tips From The TrenchesCharlie Pownall
 

Mais de Charlie Pownall (20)

Transparent AI
Transparent AITransparent AI
Transparent AI
 
TalkTalk Data Breach Case Study
TalkTalk Data Breach Case StudyTalkTalk Data Breach Case Study
TalkTalk Data Breach Case Study
 
Maersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case StudyMaersk Notpetya Crisis Response Case Study
Maersk Notpetya Crisis Response Case Study
 
Risky Business: The Whys and Hows of Effective Reputational Risk Management
Risky Business: The Whys and Hows of Effective Reputational Risk ManagementRisky Business: The Whys and Hows of Effective Reputational Risk Management
Risky Business: The Whys and Hows of Effective Reputational Risk Management
 
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital AgePlans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
Plans Are Useless - Preparing for & Responding to a Crisis in the Digital Age
 
Boxing Clever: How to Safeguard your Company's Reputation Online
Boxing Clever: How to Safeguard your Company's Reputation OnlineBoxing Clever: How to Safeguard your Company's Reputation Online
Boxing Clever: How to Safeguard your Company's Reputation Online
 
Building Trust and a Healthy Reputation from the Get-go
Building Trust and a Healthy Reputation from the Get-goBuilding Trust and a Healthy Reputation from the Get-go
Building Trust and a Healthy Reputation from the Get-go
 
An Introduction to The New Crisis Communications
An Introduction to The New Crisis CommunicationsAn Introduction to The New Crisis Communications
An Introduction to The New Crisis Communications
 
Managing Online Reputation. How to Protect Your Company on Social Media
Managing Online Reputation. How to Protect Your Company on Social MediaManaging Online Reputation. How to Protect Your Company on Social Media
Managing Online Reputation. How to Protect Your Company on Social Media
 
No Time to Think. How to Respond to Negative Situations Using Social Media
No Time to Think. How to Respond to Negative Situations Using Social MediaNo Time to Think. How to Respond to Negative Situations Using Social Media
No Time to Think. How to Respond to Negative Situations Using Social Media
 
Issues Management In The Digital Age
Issues Management In The Digital AgeIssues Management In The Digital Age
Issues Management In The Digital Age
 
Social Media for Crisis Communications
Social Media for Crisis CommunicationsSocial Media for Crisis Communications
Social Media for Crisis Communications
 
Online Community Engagement For Government
Online Community Engagement For GovernmentOnline Community Engagement For Government
Online Community Engagement For Government
 
How To Develop Social Media Strategy
How To Develop Social Media StrategyHow To Develop Social Media Strategy
How To Develop Social Media Strategy
 
Safeguarding Corporate Reputation In Social Media
Safeguarding Corporate Reputation In Social MediaSafeguarding Corporate Reputation In Social Media
Safeguarding Corporate Reputation In Social Media
 
Top Social Media #Fails in Asia - 2013
Top Social Media #Fails in Asia - 2013Top Social Media #Fails in Asia - 2013
Top Social Media #Fails in Asia - 2013
 
Social Media for Thought Leadership
Social Media for Thought LeadershipSocial Media for Thought Leadership
Social Media for Thought Leadership
 
How to Minimise Social Media Marketing Risks
How to Minimise Social Media Marketing RisksHow to Minimise Social Media Marketing Risks
How to Minimise Social Media Marketing Risks
 
Digital Influence: Communications Nirvana?
Digital Influence: Communications Nirvana?Digital Influence: Communications Nirvana?
Digital Influence: Communications Nirvana?
 
Social Engagement. 15 Tips From The Trenches
Social Engagement. 15 Tips From The TrenchesSocial Engagement. 15 Tips From The Trenches
Social Engagement. 15 Tips From The Trenches
 

Último

Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxCynthia Clay
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Timegargpaaro
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon investment
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Availablepr788182
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistanvineshkumarsajnani12
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGpr788182
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...pujan9679
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentationuneakwhite
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxRoofing Contractor
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateCannaBusinessPlans
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsIndeedSEO
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...ssuserf63bd7
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with CultureSeta Wicaksana
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizharallensay1
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon investment
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Adnet Communications
 

Último (20)

Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service AvailableNashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
Nashik Call Girl Just Call 7091819311 Top Class Call Girl Service Available
 
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in PakistanChallenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
Ooty Call Gril 80022//12248 Only For Sex And High Profile Best Gril Sex Avail...
 
Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
 

GDPR: Data Breach Notification and Communications

  • 1. CPC& GDPR: DATA BREACH NOTIFICATION & COMMUNICATIONS AN INTRODUCTION © Charlie Pownall/CPC & Associates 2017. All rights reserved January 2018
  • 2. 2 Overview • Governs the way organisations across the EU process, store, and protect customers’ personal data – Takes effect on May 25, 2018 • Replaces national legislation, complementary to other EU legislation – NISD/Cybersecurity Directive, 2016 (for Essential Service/Digital Service Providers) – Privacy and Electronic Communications Directive, 2003 – E-Privacy Directive, 2018 (digital marketing, cookies) • Broad definition of personal data – PII: name, date of birth, gender, height, weight, telephone number, postal address, email address, passport number, social security number, driving license number, IP address, location data, cookie data, RFID tags – Sensitive or SPII: medical, genetic, biometric, race, ethnicity, political or religious beliefs, sexual preference CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 3. 3 Overview (2) • Companies must set ‘reasonable’ levels of protection of personal data – Data Protection Officers – Data Protection Impact Assessments – Codes of Conduct – Anonymisation, pseudonymisation, encryption • Strengthens personal rights of EU citizens, including: – Data access – Rectification – Erasure (cf. Right to be Forgotten - pdf) – Portability – Objection – etc CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 4. 4 Overview (3) • Requires organisations to notify a breach – To regulator: where it is likely to result in a risk to the rights and freedoms of individuals – To affected individuals: where it is likely to result in a high risk to their rights and freedoms • Applies to all organisations across operating in and/or collecting personal data in the EU • Tiered fines up to EUR 10m or 2% of annual turnover • Regarded as international gold standard CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 5. 5 Transparency obligations Data protection-related information and communications must be: – Concise, transparent, intelligible and easily transparent – Easily accessible – Clear and in plan language – In writing or by other means – May be provided orally – Free of charge CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 6. 6 Data breach notification – regulator • Mandatory notification within 72 hours of discovery of a breach – To the relevant competent supervisory authority/regulator – ‘Without undue delay’ for data processors – Reasons for any delay beyond 72 hours must be explained • If the breach poses a likely risk/high risk to the rights and freedoms of individuals – Physical, material or non-material damage – Loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy – Other significant economic or social disadvantage to impacted individuals CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 7. 7 Data breach notification (2) • ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ * • Types of personal data breaches CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Breach type Description Confidentiality Unauthorised or accidental disclosure of, or access to, personal data Availability Accidental or unauthorised loss of access to, or destruction of, personal data Integrity Unauthorised or accidental alteration of personal data * Source: GDPR Article 4(12)
  • 8. 8 Data breach notification requirements Notification to supervisory authority should contain: • Categories and approximate number of individuals involved • Categories and approximate number of personal records involved • Name and contact details of Data Protection Officer or other contact point • Description of the likely consequences of the breach • Description of the measures taken, or proposed to be taken, to address the personal data breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 9. 9 Data breach notification - exceptions • If the personal data is unintelligible and where a copy or back-up exists • Where personal data is already publicly available • If notification is considered ‘disproportionate’ to the actual or potential damage CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 10. 10 Data breach notification - grey areas CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Timing • Level of risk • Loss of data availability
  • 11. 11 Timing CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised – Scenario 1: In the case of a loss of a CD with unencrypted data it is often not possible to ascertain whether unauthorised persons gained access. Nevertheless, such a case has to be notified as there is a reasonable degree of certainty that a breach has occurred; the controller would become “aware” when it realised the CD had been lost. – Scenario 2: A third-party informs a controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure – Scenario 3: A controller detects that there has been a possible intrusion into its network. The controller checks its systems to establish whether personal data held on that system has been compromised and confirms this is the case – Scenario 4: A cybercriminal contacts the controller after having hacked its system in order to ask for a ransom.
  • 12. 12 Timing (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Delayed notification – Reason for delay must be explained if not made within 72 hours – Scenario: where a controller experiences multiple, similar confidentiality breaches over a short period of time, leading to a ‘bundled notification’ • Breaches in more than one EU state – Controller should notify the relevant lead supervisory authority – Example: Facebook to notify the supervisory authority in the Republic of Ireland of breaches impacting personal data across multiple EU states • For data processors – Recommends immediate notification by processor to data controller – The controller is considered aware once the processor has become aware
  • 13. 13 Timing (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Customer/affected individuals notification – Is required ‘in certain cases’ – ie. if special categories of personal data are disclosed online and/or where there is a high risk to rights and freedoms of the individuals impacted – The principal objective is ‘to provide specific information about steps [affected individuals] can take to protect themselves’ • Contacting individuals – Information should be communicated directly • Email, SMS, direct message, prominent website banners or notification, postal communications, print media advertisements – Press release or corporate blog post is considered inadequate – Should not accompany other information (newsletters, etc) – Should be in the relevant local language – Supervisory authority can be contacted for advice on appropriate channels and formats
  • 14. 14 Data breach notification information Notification to affected individuals should contain at least the following information: • Description of the nature of the breach • Name and contact details of data protection officer or other contact point • Description of the likely consequences of the breach • Description of measures taken, or proposed to be taken, to address the breach, including, where appropriate, measures taken to mitigate its possible adverse effects. CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 15. 15 Level of risk CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Determination of level of risk to the rights and freedoms of individuals – Risk exists: identity theft or fraud, financial loss, damage to reputation, discrimination, emotional distress, etc – High risk exists: racial or ethnic data, political opinion, religion or philosophical beliefs, trade union membership, genetic data, health, sex life, criminal convictions and offences • Type of breach – eg. Confidentiality vs availability breach • Nature, sensitivity and volume of personal data – Isolated data may cause harm, but different kinds of data can be used together for data theft, fraud, etc – Data indicating customers are on holiday
  • 16. 16 Level of risk (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Ease of identification of individuals – Ease with which individuals can be identified directly or indirectly by matching data with other information – Identification may depend on the context and type of breach • Severity of consequences to individuals – Motivation of and trust in people or organisation(s) finding and/or using the data – Likely impact over time for individuals • Special characteristics of the individual – Children and vulnerable individuals are at greater risk • Special characteristics of the data controller – eg. medical organisations
  • 17. 17 Loss of availability CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Permanent vs temporary loss of availability – Where data has been deleted either accidentally or by an unauthorised person, or, in the example of securely encrypted data, the decryption key has been lost. In the event that the controller cannot restore access to the data, for example, from a backup, then this is regarded as a permanent loss of availability. – Significant disruption to the normal service of an organisation, for example, experiencing a power failure or denial of service attack, rendering personal data unavailable, either permanently, or temporarily. • Notification of temporary breaches – If critical medical data about (hospital) patients are unavailable, even temporarily, this could present a risk to individuals’ rights and freedoms; for example, operations may be cancelled. – Conversely, in the case of a media company’s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals’ rights and freedoms.
  • 18. 18 Loss of availability (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved • Other impacts – Infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid) could lead to a temporary loss of availability if the data can be restored from backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.
  • 19. 1. Understand GDPR scope and principles, and notification requirements, grey areas and best practices – How GDPR relates to other EU and national data protection laws and obligations – Legal updates, relevant European Commission/UK ICO GDPR working parties 2. Educate Leadership, Legal, IT, security and other stakeholders – Customer and stakeholder privacy needs and expectations – Cyber/data breach reputation trends, risks and impact – Role of communications in data breach preparation and response 3. Ensure PR/communications is formally represented on relevant company committees and teams – GDPR, Data breach, Cybersecurity, etc 19 For PR/communications teams CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 20. 4. Work closely with Legal, IT and security to develop or update company cyber/data breach response plans – Assess and prioritise different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted – Develop communication plans for different types of data breach, including key messages, priority and secondary audiences, order and timing (regulators, customers, employees, investors, etc), format, channels – Consider the reputational risks of not disclosing different data breach risks, taking into account: • The risks of actual or perceived cover-up • Likely negative customer and stakeholder reaction • Possibility of regulator investigation – Ensure your response plans are comprehensive, clear, practical, and fit for purpose 20 For PR/communications teams (2) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved
  • 21. 21 For PR/communications teams (3) CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved 5. Test and update your plans regularly – Protocols and processes – Messaging and content – Digital/social media dialogue and feedback – Leadership and team dynamics.
  • 22. 22 Useful resources CPC& © Charlie Pownall/CPC & Associates 2017. All rights reserved Documents • General Data Protection Regulation • Article 29 Working Party - Guidelines on Data Breach Notification • Article 29 Working Party - Guidelines on Data Protection Impact Assessment • ENISA - Data Breach Severity Methodology Organisations • European Commission • UK ICO • The Law Society • CIPR • IAPP
  • 23. 23 Further Information +44 20 3856 3599 +44 (0)7973 379 989 cp@charliepownall.com charliepownall.com © Charlie Pownall/CPC & Associates 2017. All rights reserved CPC&