The GDPR is on the horizon. And many companies are busy trying to learn more about it, what it means for them, and what they have to do to become compliant.
Most people familiar with the GDPR understand that it’s focused on providing companies with guidance on how to manage personal data they collect from customers. This includes what companies need to do to secure personal data, and deal with situations where they lose control of that data.
A big part of that is how to avoid and respond to personal data breaches.
Because the GDPR is a legal document, it’s important to understand what a personal data breach means in this context. And here’s the definition given by the regulation (you can read the whole document here):
When I hear the phrase “data breach”, I think mainly of a company losing control of confidential information. But the GDPR’s definition is considerably broader. And this broader definition can include a lot of different security incidents, including things like ransomware infections.
So what does this mean for companies? According to F-Secure’s CISO Erka Koivunen, organizations might need to disclose ransomware infections to the authorities and affected customers.
“You will find that a ransomware infection (or any malware infection) in a considerable number of your workstations and servers that are centric to processing personal data would likely constitute a breach under the GDPR, and could trigger the notification obligation in articles 33 and 34,” says Erka.
Articles 33 and 34 provide the GDPR’s guidance on contacting authorities and affected individuals. However, the catch here is that this is only necessary when, to paraphrase, the personal data breach is a risk to the “rights and freedoms of natural persons”.
So, how does a ransomware infection at a company affect individuals that have data about them encrypted (or otherwise rendered inaccessible)? That’s not such an easy question to answer. But it’s the type of question companies need to ask themselves to prepare for the GDPR.
“If you reach a point where ransomware affects the personal data you’ve collected, you need not to only worry about leakage (as in many data breaches), but on how you recover the data to continue your business operations. If you have no good quality back-ups, the effort of re-collecting and re-enriching the data for you to run your business may call for a gargantuan effort.” explains F-Secure Privacy Officer Hannes Saarinen. “If you’re not prepared and need to collect the same data again, you’ll probably need to report the incident, even though the data was ‘destroyed’ rather than stolen.”
Like many other security-related aspects of the GDPR, being prepared to respond to situations where things go wrong will play a big role in shaping what companies address with their GDPR compliance projects.
“Practically speaking, incident response plans need to be updated and include checks to determine whether the GDPR notification obligation is triggered by different incidents,” says Hannes.