eCommerce businesses around the world rely on customer’s sensitive and personal information every day, and it’s important that this data is protected from theft, corruption, and loss. It can be hard for merchants to keep up with things, however, with all of the facets of data breach compliance required today throughout the world.
It’s more important than ever that businesses monitor these changes closely, from US and LATAM’s institutions to Europe and APAC.
In this article, we are going to focus on what businesses in the European Union should know about data breach regulations.
Let’s start with a very famous one these days. The General Data Protection Regulation (‘GDPR’) became enforceable beginning 25 May 2018 to provide a standard for data protection across the European Union, and this benchmark requires a high level of data security.
Because these security requirements enhance the privacy rights and protection of your customers, and also directly affect the health of your business, you are obligated to stay up-to-date with all its provisions.
To make it easier, we’ve put together a summary of some of the requirements in place:
- When a business becomes aware that a personal data breach has occurred, they must immediately report it (without undue delay, not later than 72 hours after the discovery), unless they are able to determine and to demonstrate, in accordance with the accountability principle that the breach is unlikely to be harmful.
- When the data breach is high risk or likely to be harmful to a customer, they should be notified immediately so they can take any necessary precautions.
What is the definition of a data breach?
A personal data breach is defined by the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (see Article 4 (12) of the GDPR).
According to European Data Protection Board Guidelines:
- Destruction of personal data means the data no longer exists, or no longer exists in a form that is of any use.
- Damage occurs where personal data has been altered, corrupted, or is no longer complete; loss means data may still exist but cannot be accessed.
- Unauthorized or unlawful processing can mean that there has been disclosure of personal data to (or access by) recipients who are not authorized to receive it.
The breach must concern personal data, which is defined by the GDPR as “any information relating to an identified or identifiable natural person” where that individual is “one who can be identified, directly or indirectly, in particular by reference to an identifier.” These “identifiers” include:
- Name
- Identification number
- Location data
- Online identifier, or
- Characteristics that are physical, physiological, genetic, mental, economic, cultural, or involve social identity
Of course, it’s not always simple to know whether a breach is likely to be harmful to your customer. The following guideline questions should be helpful:
- Does the breach involve your customer(s)’ sensitive personal data? This would include information that could reveal racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership. It might also reveal genetic data, data concerning health or sex life, criminal convictions and offenses, or related security measures.
- Are you able to predict the damages associated from the break in or data leakage, so that you can notify and assist your customer(s)?
- What systems and data may be impacted?
- How many of your customers may have been impacted by the personal information data breach?
What are the penalties businesses face for data breaches?
Fines for data breach notification provisions’ infringement can be significant, up to €10,000,000 or, in case of an undertaking, up to 2% of the worldwide annual turnover of the preceding financial year, whichever is higher.
When the following provisions are infringed, fines can be even higher, up to €20,000,000 or, in case of an undertaking up to 4% of the total worldwide annual turnover of the preceding financial year:
- The basic principles for processing, including conditions for consent (see Articles 5, 6, 7 and 9 of GDPR);
- The data subjects’ rights (see GDPR Articles 12 to 22);
The transfers of personal data to a recipient in a third country, or an international organization (see GDPR Articles 44 to 49);
- Any obligations related to Member State law adopted under GDPR Chapter IX;
- Non-compliance with an order or a temporary or definitive limitation on processing, or the suspension of data flows by the supervisory authority (see GDPR Article 58(2)), or failure to provide access in violation of Article 58(1).
All European countries are obligated to conform to GDPR compliance in a uniform way. France, for example, was one of the countries who initiated compliance with the GDPR, and is a leading authority together with Germany, Spain, and other select countries. France is known as a trend setter in the domain, especially with regards to applying fines, thus encouraging other countries such as Netherlands, the UK, and Romania to proceed with fines whenever the case applies.
Countries such as France and Netherlands support the practice of using online forms when notifying a data breach. France, for instance, requires information such as the type of notification, company credentials, what type of breach occurred, actions taken to contain and remediate the breach, and others (more details about this may be found here).
Netherlands also provides these types of online forms, with the information needed to complete such a form depending on the type of breach encountered. The Dutch DPA has an online notification form (only available in Dutch) for the notification of data breaches (more information about the Netherlands’ requirements may be found here).
In conclusion, it’s clear that there are significant challenges when meeting today’s legal requirements regarding data breaches in the EU. The threat of these breaches – and their subsequent fines – to a business’ bottom line, however, makes it absolutely necessary that every business in the EU stays up to date with these regulations.
For further information and support, visit the following websites:
- European Data Protection Board
- European Commission
- The Dutch Data Protection Authority
- France Supervisory Authority
If you are also interested in learning about main aspects that US business should know about data breach regulations, then make sure to read this article next.