You are currently viewing GDPR – Breach Notification and Artificial Intelligence

GDPR – Breach Notification and Artificial Intelligence

The GDPR is directly applicable in each member state and will lead to a greater degree of data protection harmonization across EU nations, but there is application to US and Canadian organizations as well.

Read the actual articles here -

GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018. One of the biggest challenges is Data Security and Breach Notification.

With new obligations on such matters as data subject consent, data privacy, breach notification, trans-border data transfers, and designation of data protection officers, the GDPR requires organizations handling EU citizens’ data to undertake major operational changes.

New Data Processing Standards

The GDRP separates responsibilities and duties of data controllers and processors. Which means, Controllers are only obligated to engage those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the GDPR’s requirements.

According to Article 32, Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Controllers and processors that adhere to either an approved code of conduct or an approved certification mechanism, may use these tools to demonstrate compliance with the GDPR’s security standards, while increasing their security posture and reducing the overall risk.

Now... the real pain point.  Notification of Personal Data Breach to the Supervisory Authority.  

Article 33 states, In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

In addition to the breach requirement take place within 72 hours, a notification to the authority must “at least”:

(1) describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected; (2) provide the data protection officer’s contact information; (3) “describe the likely consequences of the personal data breach”; and (4) describe how the controller proposes to address the breach, including any mitigation efforts. If not all information is available at once, it may be provided in phases.

If not all information is available at once, it may be provided in phases.  Speaking from experience in Incident Response, this is not an easy task.  With 72 hours of the initial breach determination, very little is actually known about the event.  In all honesty, in 72 hours, it is likely that a remote confirmation of scope isn't going to be possible.

However, after the recent breach of Equifax... there will be additional drive behind adherence to GDPR or some upcoming United States equivalent.  This upcoming deadline will require a complete operational overall in some organizations.

Meanwhile, some organizations are struggling to stay abreast of an ever-changing compliance landscape complicated by the fact that e-commerce  and international business have no borders. This forces organizations that operate in multiple states and countries to reconcile a confusing litany of regulations, some of which directly contradict each other. With the increasing rate of breaches, the federal government will eventually be forced to step in, as it did with HIPAA in the 1990s, to protect users.

But... what about Artificial Intelligence?

Unfortunately, for the affected IT and IS groups, Artificial Intelligence is not going to be significantly helpful.

It is generally understood that, Artificial Intelligence is all about handling and deriving insights from vast amounts of data, and yes, GDPR demands that organizations comb through their databases for personal information that falls under GDPR’s requirements.

That being said, Artificial Intelligence has not yet reached the adoption tipping point or maturity level necessary to make it much of a factor in the GDPR efforts.

Over time, vendors will undoubtedly work those issues out, but, in the meantime, companies should roll up their sleeves and take a thorough, systematic approach to preparing for the May 25th deadline rather than looking to AI as a shortcut.

Reach out to Critical Path Security for guidance regarding the security ramifications and planning of GDPR compliancy.

Leave a Reply