In today’s world of work, there are few activities that do not involve the processing of electronic data. As the volume of data traffic rises, TÜV SÜD is increasingly prioritising the topic of data security. But are companies themselves equally prepared for a data breach? The new General Data Protection Regulation (GDPR), which will become applicable law throughout Europe with effect from 25 May 2018, defines precise rules on the management of security incidents. Companies should ensure they are up to date on these regulations as data breaches can occur both within the company and from outside – for example, in the form of a hacker attack.
The consequences of a data breach can be disastrous, and may result in loss of reputation among business partners and customers. Personal information have repeatedly fallen into the wrong hands – as has been the case, for example, with credit card companies, banks or telephone companies. So far, the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) has required companies to report data breaches immediately. Companies have a duty to notify the data protection authorities and the individuals concerned without delay. Violations have also been subject to fines to date. However, with effect from 25 May 2018, the GDPR will establish significantly higher requirements. Violation of the duty to report data breaches, for example, can be punished by fines of up to EUR 1 million or, in case of companies, of up to 2 % of the total global annual turnover of the preceding financial year, whichever is the higher.
An important fact to know is that the EU-GDPR will replace the previously valid Federal German Data Protection Act. Stricter information obligations overall will ensure higher transparency.
Companies must address and tackle the new regulations. They should pay special attention to Articles 33 and 34 of the GDPR, both of which set forth reporting obligations in the event of a personal data breach. While Article 33 addresses the duty of notification to supervisory authorities, Article 34 regulates the duty to communicate a data breach to the data subjects concerned.
In the past, the duty of notification of data breaches has been limited to data breaches affecting sensitive data; however, the new requirements in Article 33 GDPR now refer to all personal data such as contact details. In the future, companies will need to pay increased attention to the relevant protocol routines and processes in case of error messages. They will need to adopt a proactive approach to ensure they are always up to date and familiar with the new regulations. The objective is to prevent data breaches altogether by increasing the amount of attention paid to IT operations and setting up appropriate security measures; breaches might jeopardise the company's good reputation and result in heavy fines. This is the challenge that companies need to master.
Topics related to data protection and data security can be found at www.tuv-sud.com/digital-service.
Press contact: Carolin Eckert