Oh, welcome back to this. Introduction to GDP are
in this video will be looking up notification requirements for organizations if they suffer a breach
and the potential fines and penalties that could be handed out for noncompliance
takes breach. Notification is likely through one of the biggest concerns for organizations, so it is important to prepare well in the event that an organization is breached.
Organization should put procedures in place to effectively detect, report and investigate personal data breaches.
I'll discuss this more than accept videos on implementing Judy PR.
But for now, identifying the types of personal data held on the protection is placed upon them. Such a suit on immunization and encryption
and documenting when notification to the supervisor authority or affected individuals will be required. If the breach occurred,
large organizations will need to develop more complex policies and procedures for managing data breaches.
Failure to report a breach one required to do so could result in a fine as well as a fine for the breach itself.
The breach is defined as
a breach of security leading to the accidental or unlawful destruction, loss alteration, unauthorized disclosure, off access to personal data transmitted stored or otherwise process.
She should be clear that breaches do not only occur when hackers steal your data
from the security professionals. Perspective, Failures of confidentiality, integrity and availability are all grounds for potential data breaches.
The breach is unlikely to cause data subject harm. The controllers need to notify the supervisory authority without undue delay.
What this exactly means has not yet been determined,
but must be within 72 hours or three days.
I will describe what needs to go into the notification of the next slide.
The initial report can be made immediately, with further details to follow.
It may not be possible to fully understand the extent of a breach in the early hours of a breach, so an initial report to the supervisory authority can be made with an expectation of how long an investigation is likely to take.
Furthermore, full diagnosis of the breach and the definition testing an implementation of mitigations are likely to take longer. So again, in the first instance, provisions of the initial fixed with further details to follow in phases without undue delay,
it's allowed under the regulations
affected individual should also be notified without undue delay.
If this was required. It's proportionate effort, communication commie made by public announcements.
The Supervisor authority can compel the controller to communicate. It breached the data subjects affected if the controller has not done it voluntarily
and he pretty should be documented in the internal breach register
along with its remediation to allow verification of compliance,
whether or not a breach was reported to the supervisory authority.
Regulations state that the internal breach register should contain
the facts relating to the personal data. Breach its effect on the remedial action Taken.
Data protection officers should be the main point of contact with supervisory authority and should ensure documentation of breeches and the implementation of effective mitigation against future breaches
When communicating a breached of the supervisory authority. The following must be included in the notification.
Describe the nature of the personal data breach, including, where possible, the categories. An approximate number of data subject's concerned.
The categories. An approximate number of personal data records concerned,
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
Described the likely consequences of the personal data breach
described the measures taken or proposed to be taken by the controller to address the personal data breach, including where appropriate
measures to mitigate it's possible adverse effects.
All these, I think, should be pretty self explanatory.
Notification of a breach to affected individuals is largely similar to the notification to the supervisory authority,
with the addition of a requirement for clear and plain language to explain what has happened and the potential consequences for the individual.
The notification you're describing clear and plain language, the nature of the personal data breach,
the name and contact details of the data protection officer or the contact point where more information could be obtained.
The likely consequences of the personal data breach
the measures taken or proposed to be taken by the controller to address the personal data breach, including where appropriate measures domesticate. It's possible future effects
again. Pretty self explanatory
data subjects will be able to lodge a complaint to supervisory authorities in each member state if they believe that the processing of personal data has breached the provision of GDP are
they also have the right to an effective judicial remedy where the supervisory authority fails to properly deal with a complaint and there is also the potential for group actions to be brought.
They will have a right to compensation for material and non material damage as a result of unlawful processing operation.
Penalties for infringement of the provisions will be in place by May 2018.
This is to ensure organizations comply with the regulations. They state the penalty shall be
effective. Proportionate, dissuasive.
Any person who has suffered damage as a result of a compliance infringement has the right to receive compensation from the controller or the process. Sir.
Controllers are liable for damage caused by processing, which is not in compliance with the GDP. Are
processes are liable only for the damage caused by any processing that is in breach of the obligations specifically imposed on processes by the GPR or caused by processing that is outside, off or country. To have contracted instructions from the controller
finds maybe up to 20 million euros or forwards into global revenues.
There are two tiers of the ministry defines
the first year, offer infringements of the basic principles of processing,
in particular for breaches of consent, for infringements of data subjects right for unlawful international transfers of data and for data breaches involving special categories of data.
The second tier covers other areas of infringement. On has a maximum fine of 10 million euros, or 2% of global revenues.
The factors involved in whether to impose administrative files include
the nature, gravity and duration of the processing,
whether the infringement was intentional or negligence,
the degree of responsibility of control or process, sir.
Any relevant previous infringements.
The decree of cooperation with the supervisory authority,
the categories of personal data affected.
Whether the infringement was notified by the controller or process er to the supervisory authority.
Any previous history of enforcement
adherents to approve code of conduct,
any other aggravating or mitigating factors applicable to the circumstances of the case.
E g financial benefits gained losses avoided directly or indirectly from the infringement.
So from this, we can see the importance of demonstrably complied with the regulations identifying breeches on native find the supervisory authority off them were necessary,
not taking shortcuts for gain and for following industry standards and best practices.
In the next video, we'll be looking at transfers that personal date within international organizations and to third countries.
In the meantime, thank you very much for watching