As the EU is about to enact a General Data Protection Regulation that will introduce a general obligation to notify personal data breaches for all companies doing business in Europe or directing it towards EU-based customers, we provide the reader with 8 of the most important aspects related to the implementation of this new obligation.
Filed under Andreas Leupold, Comments, English, EU Law, Europe, European Union, Outlines · Tagged with adverse effect, breach notification process, Chief Information Officer, Chief Privacy Officer, Chief Security Officer, CIO, CPO, CSO, data breaches, data controllers, data processors, data protection authorities, data protection officer, data security breaches, EU Directive 2002/58/EC, EU Directive 2009/136/EC, European Data Protection Board, GDPR, General Data Protection Regulation, incident discovery and reporting system, intelligence agencies, national supervisory authorities, obligation to report, personal data breach, technological protection measures, without undue delay
The new Brazilian Data Protection bill currently in discussion provides a whole new approach to data protection for the country. It also follows the current trend of several countries, the European Union included, by adopting a data breach notification regime. The text would make companies liable without the need to prove omission or negligence. Currently they are only liable to the extent of damages resulting from the misuse of information leaked or stolen due to a data security breach.
Filed under Brazil, Cédric Laurant, Comments, English, Latin America, Law, Renato Leite Monteiro, South America, South American Law · Tagged with adequate protection, anonymization, Argentina, Consumer Protection Code (Brazil), data breach notification, data protection, Data Protection Authority, Data Protection Bill (Brazil), data protection officer, data security breaches, Directive 95/46/EC, European Union, Marco Civil (Brazil), México, National Counsel on Protection of Personal Data (Brazil), negligence, omission, personal data, PIPEDA (Canada), preventive security measures, privacy, sensitive data, Uruguay
The European Network and Information Security Agency has recently published a report on data breach notifications in the European Union. ENISA surveyed data protection authorities, telecommunications regulatory authorities and telecom operators from different countries in the EU, but also from other non-EU countries such as the United States.
Using the various stakeholders’ responses, the report helps understand the practices and challenges of the future mandatory data breach notification regime, and aims to assist public authorities and private organizations in the EU as they implement data breach notification policies by providing a set of recommendations.
(Résumé aussi disponible en français)
Filed under Cédric Laurant, English, Europe, European Union, Farid Bouguettaya, Non-EU, Outlines, Reports & Surveys · Tagged with "Telecom Package", Article 29 Data Protection Working Party, best practices, black lists, breach mitigation measures, data breach, data breach inventory, data breach notification, data breach notification policy, data breach notification procedures, data breaches, data ombudsman, data protection, data protection officer, data security, data security breaches, deterrence measures, ENISA, EU Directive 2002/58/EC, EU Directive 2009/136/EC, EU Directive 95/46/EC, EU e-Privacy Directive, EU Regulation 460/2004/EC, European Commission, European data protection authorities, European Data Protection Supervisor, European Network and Information Security Agency, financial sector, fines, Germany, guidelines, healthcare sector, Information Commissioner Office (UK), information security, information security policy, Internet service providers, media exposure, monetary penalties, negative publicity, Norway, personal data, publicly available electronic communications services, regulatory authorities, Royal Decree (No. 1720/2007) (Spain), security document, Spain, technical implementing measures, telecommunications operators, telecommunications sector, Turkey, undue delay, United Kingdom, United States
The top 8 issues all CIO’s, CSO’s and CPO’s should know about how to notify data breaches in Europe
Posted by "Security Breaches" Administrator on July 2, 2014 · 1 Comment
As the EU is about to enact a General Data Protection Regulation that will introduce a general obligation to notify personal data breaches for all companies doing business in Europe or directing it towards EU-based customers, we provide the reader with 8 of the most important aspects related to the implementation of this new obligation.
Rate this:
Filed under Andreas Leupold, Comments, English, EU Law, Europe, European Union, Outlines · Tagged with adverse effect, breach notification process, Chief Information Officer, Chief Privacy Officer, Chief Security Officer, CIO, CPO, CSO, data breaches, data controllers, data processors, data protection authorities, data protection officer, data security breaches, EU Directive 2002/58/EC, EU Directive 2009/136/EC, European Data Protection Board, GDPR, General Data Protection Regulation, incident discovery and reporting system, intelligence agencies, national supervisory authorities, obligation to report, personal data breach, technological protection measures, without undue delay