GDPR Quick Facts

GDPR defines it as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.” Under GDPR, entities have only 72 hours to notify a supervisory authority, which is also known as a data protection authority (DPA). Data controllers are required to report breaches to the authority, while processors must report them to their controllers.

Hong Kong and Singapore companies also have a clear idea of who to report breaches to, since GDPR requires companies with an obvious European footprint to designate an EU representative who would then report to the DPA in their member state.In addition to self-reporting the breach, GDPR says that companies must notify the impacted data subjects through a notification letter.

According to GDPR, the notification must:

1. Describe the nature of the personal data breach including where possible,the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; 
2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; 
3. describe the likely consequences of the personal data breach; 
4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Cloud computing has become an essential element of the IT sourcing strategy for many companies.

IT, legal and procurement staff in these companies are therefore faced with the fact that comprehensive know-how in many areas — not only in technology — is now necessary if cloud services are to be used responsibly, economically and in a way that is legally compliant with the locally applicable regulation frameworks.

Cloud services provide a high potential for increasing efficiency in the business world. However, from a data protection perspective, the following aspects are identified as critical:

Risk due to involvement of a third party: With the Cloud Service Provider (CSP), a third party becomes involved in the processing of personal data by the Cloud Service Customer (CSC). From the point of view of the affected person whose rights are to be protected, this represents an increase in the risk that unauthorized persons might be able to access the data being processed.

Loss of control: An increase in the number of people authorized to access the processed data means an increase in the challenge of committing all involved persons to act according to data protection laws, as well as the challenge of verifying the observance of all data protection obligations. The term “loss of control” refers to the fact that the affected person often does not know who the authorized third parties are, or has no way of monitoring them.

The European General Data Protection Regulation (GDPR) that will become binding in all
EU countries on 25 May 2018 establishes fundamental and modern technical, economic and legal framework conditions. With it, the EU is sending a clear and globally recognisable signal showing how a society can react to quickly developing technical possibilities and their consequences for the people within it. The resulting challenges for providers and users of modern IT services alike should not be underestimated, and to prepare for these challenges ahead of time is a must.

Reference: https://cloudprivacycheck.eu/ and https://martechtoday.com/now-that-gdpr-is-here-what-do-us-companies-do-if-they-have-a-breach-217121