On 28 February, a data leak was announced at the Academic Medical Center (AMC), one of the Netherlands largest hospitals and foremost research institutions. Through a security breach at the hospital’s website contact form, the hacker successfully accessed personal patient data, such as names, contact information, social security and insurance numbers, and other medical details.
When the European Union’s new General Data Protection Regulation (GDPR) goes into effect on 25 May 2018, organizations will have to comply with a new set of guidelines to prepare for and mitigate the risks of potential data leaks.
Below, we use the AMC data breach as an example to help explain four key impacts GDPR requirements will have on EU organizations:
1. Data breach notification requirements
If the AMC would have been hacked after the GDPR went into effect, the hospital would have been required to report the data leak to the National Data Protection Authority and to all affected individuals within 72 hours of the incident. Additionally, the organization would have been required to provide affected individuals with specifics concerning the nature of their compromised information and the contact details of the organization’s Data Protection Officer, who would inform them of next steps.
2. The role of the Data Protection Officer (DPO)
Following the implementation of the GDPR, the DPO will be responsible for ensuring organizations proactively mitigate the risk of cyber-attacks, obtain consent from individuals to store their personal information and certify those individuals understand exactly which details will be stored. In the event of a data breach, the DPO will be required to conduct an impact analysis of all affected systems that contain or carry personal data. Additionally, the DPO will have to explain the potential consequences for those whose information has been impacted and outline next steps for mitigating those consequences. In the case of AMC’s data breach, the hospital’s DPO would need to explain to impacted patients how the leak of their personal data (e.g., name, date of birth and social security number) could potentially be used for identity theft and what actions patients could take to protect themselves.
3. Data protection standards
Under the GDPR, organizations will be required to provide adequate protection for the personal information they store and / or process. Personal data will need to be encrypted to prevent and minimize the consequences of data breaches. If AMC had adequately secured and encrypted its patient information, it could have potentially prevented the hack of its database and been one step closer to complying with the GDPR.
4. Obtaining explicit consent
Another topic that is relevant in the GDPR regulation is consent. Under the GDPR regulation the AMC needs to make sure they have an explicit consent of the individual that they agree the AMC stores their personal information. Article 13 of the GDPR describes what information needs to be provided to the individual when the AMC wants to store personal information. AMC needs to describe this in clear and easy to understand language on the website where they gather this information.
Preparing your organization for GDPR
The first step toward preparing your organization for GDPR is to define where and how your organization processes and stores individuals’ personal data. This may require you to assess repositories, archives or systems that contain digital or paper records.
AMPLEXOR can not only help your organization define and categorize its methods of processing and storing personal information, but also prevent and / or minimize the impacts of potential data breaches with our dedicated, secure software tools. We can implement a case-management system designed specifically for your company to keep record of cyber-attacks on personal information, securely store all communication interactions and maintain documents that must be submitted to the Data Protection Authority in the event of a data breach.
About the European Union’s new General Data Protection Regulation
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU).
The GDPR will come into force on 25 May 2018. The measures included in the regulation will affect every organization dealing with private data of European citizens and the penalties for non-compliance can go up to 20 million euro or 4% of worldwide turnover.
The GDPR will introduce stronger restrictions to the way companies use and give access to personal information. There must be a clear consent to store personal data and every European citizen will have the right to access this information anytime or even ask to be forgotten.