When data security incidents span multiple jurisdictions - comment
Organisations that operate across multiple jurisdictions should understand the regulatory requirements they would be subject to in the event of a data security incident, in light of the global cyber risk they face and recent moves by policy makers across the world to bolster data security requirements.
The need for multinational organisations to familiarise themselves with their regulatory obligations around the world is reflected in the results of analysis conducted by the cyber team at Pinsent Masons, which found that 30 per cent of the cyber-related matters the team worked on in the past year involved at least two jurisdictions.
Data security obligations have been enshrined in a range of data protection legislation and sector-based regulations for years, but in recent times law-makers and regulators have moved to stiffen the requirements businesses must meet around data security to reflect the move businesses have made to meet growing customer demand for digital services and the increased and evolving cyber risk.
Perhaps the most significant development has been the implementation of the General Data Protection Regulation (GDPR). The extra-territorial effect of the GDPR makes it relevant to businesses that may not think of themselves as subject to it.
Guidance published by the European Data Protection Board (EDPB) in January confirmed that whether or not a business is subject to the GDPR depends on whether a particular processing activity it engages in falls within the scope of the Regulation.
It means that organisations that either have offices or some form of "establishment" in the European Economic Area (EEA), or that target sales of goods or services to individuals in the EEA or track the activities of individuals in the EEA, can nevertheless be subject to the GDPR.
The territorial scope of the GDPR matters because of the tough new rules it introduced. Not only did the GDPR bolster expectations of the way organisations provide for the security of the personal data they collect, use and store, it introduced into EU legislation a general duty to notify personal data breaches to data protection authorities and data subjects, in certain circumstances, within 72 hours of such a breach being identified.
The EDPB's guidance makes organisations' assessment of whether or not the GDPR applies a nuanced one, with a particular focus upon the processing activities relevant to the incident. To carry out this assessment in the typical tight timescales following an incident can be particularly challenging for organisations and requires expert advice – 25 per cent of instructions to our European cyber teams involve the provision of advice to non-EEA entities as to whether or not the GDPR applies.
Further guidance has been promised by the EDPB in relation to the "one stop shop” mechanism that applies under the GDPR. This system enables organisations to engage with just one data protection authority in respect of incidents or other matters that have a cross-border impact, instead of potentially tens of different authorities within the EU.
Room for improvement
Our experience, as the EDPB's own reported findings support, is that the way the one-stop-shop mechanism operates could be improved, so further clarification of the procedural steps and harmonisation of the approach taken across the EU would be welcome.
Potential reform to UK data protection law could follow the end of the Brexit transition period, as hinted at in the UK government's recent national data strategy paper, but in the short-term at least a “UK GDPR” will apply, as the legislation is set to be retained in UK domestic law from 1 January 2021.
However, even though the UK GDPR will mirror the obligations in the GDPR, organisations that operate in both the UK and across the EEA will still effectively be subject to two regimes and therefore will have to adapt to supervision by both the Information Commissioner's Office and a lead supervisory authority in the EEA.
This means that from the end of the transition period, those organisations may be exposed to two separate enforcement regimes, including two sets of penalties, in respect of incidents that breach both UK and EU data protection laws.
With the legal frameworks across the world set to change further around data security and breach reporting, and as cyber risk continues to evolve and pose a threat, it is incumbent on businesses operating across jurisdictions to familiarise themselves with their regulatory requirements and prepare effective, tested incident response plans.
David McIlwaine, partner and head of Pinsent Masons’ global cyber practice
A message from the Editor:
Thank you for reading this article. We're more reliant on your support than ever as the shift in consumer habits brought about by Coronavirus impacts our advertisers.
If you haven't already, please consider supporting our trusted, fact-checked journalism by taking out a digital subscription.
Want to join the conversation? Please or to comment on this article.