GDPR Blog 07: Breach Notifications

December 21st, 2017 10:26am | Call RecordingData ProtectionEUGDPR

GDPR is a big subject that mainstream business across Europe, including the UK, are just starting to see on the radar despite the fact that it was announced in May 2016. Firms now have less than a year to get their houses in order and become compliant with the directive.

The General Data Protection Regulation (GDPR) that comes in to force across the EU in May 2018 will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.

There are lot of new terms also introduced with the GDPR and each has its own definition. For example, data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

Whilst under the current law there are no obligations on data processors to notify data breaches, the GDPR is specific on laying out when firms must notify their relevant supervisory authority, when individuals must be notified and in what time period these notifications have to be made. Failure to follow these rules is considered to constitute a non-compliance with the GDPR and leave a business or organisation open to relevant fines being imposed.

You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly and here the GDPR specifies what kind of information regarding the breach must be reported.

Any personal data identifiers – say, email addresses, online account IDs, and possibly IP addresses — could easily pass the likely-to-affect test.

In addition, if the breached personal data contains more monetisable personal data – bank account numbers or other financial identifiers— then you can say the breach is ‘likely to harm’ the individual. In this situation, both the consumer and the supervisory authority will have to be notified.

The timescale for reporting a breach is important. A notifiable breach must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows firms to provide information in phases.

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

And here is where the GDPR begins to bite, failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.

Therefore, firms must seriously consider having in place a process for reporting breaches that all staff understand. Staff must know what constitutes a data breach and that this is more that a loss of personal data.

Staff processes must be designed to facilitate decision making about whether to notify the relevant supervisory authority or the public.

Clearly this tight timescale for reporting breaches will be challenging for many organisations and past experiences of breaches that have not even been noticed for a number of weeks mean that robust breach detection, investigation and internal reporting procedures must be in place.

Failure to detect a breach and report it 72 hours results in a firm having to provide a ‘reasoned justification’ for the delay to the relevant authority and overall these new provisions clearly place administrative burdens on organisations.

How can Oak Innovation help?

Ability to remove recordings for a specific customer phone number

The ability to remove specific customer records is crucial to compliance. Under GDPR regulations, a data subject has the right to have their personal data rectified or forgotten. Oak makes it easy to find and remove specific records.

Secure recordings

All calls recorded on an Oak system are encrypted so they cannot be tampered with. Businesses are better protected from abuse, and in case of customer disagreements. stereo playback ensures perfect clarity as required by legal firms.

Store recordings for as long as you need

Oak systems can store a huge volume of recordings. Calls can be found using a wide range of criteria, for example, date, time, extension, CLI, DDI, telephone number, user defined flags or even customer reference if linked to a CRM system.