CNIL Publishes Guidance on Incident Management and Notification

The French data protection authority (“the CNIL”) has published guidance on the notification of security incidents to regulatory authorities.

According to the CNIL, an organisation’s incident management process must be thought out, tested, evaluated, and corrected, and the obligation to notify competent regulatory authorities should be fully baked into this process.

Under the EU General Data Protection Regulation (GDPR), data controllers will be required to notify competent supervisory authorities, such as the CNIL, in the event of a personal data breach. [See GDPR Article 33-34.]

The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” [GDPR Article 4(12)]

The guidance published by the CNIL includes a standard 5-step incident management process based on ISO/IEC 27035, and suggests integrating notification obligations into that process.

  1. Plan and Prepare. Create a directory and incident management procedures.

Identify internal personnel involved in incident management, including those involved in:

  • Senior management
  • Information security
  • Personal data protection
  • Risk management and quality assurance
  • Communications
  • Technical support

Identify external stakeholders, including:

  • Service providers
  • Regulatory authorities
  • Links to external notification forms

Formalise and test internal incident management procedures.

  1. Detect and Report. Monitor and implement incident detection tools.
  • Set up a monitoring system to detect current threats, via internal or external sources, and analyse them on a case-by-case basis.
  • Set up detection devices to alert you to any abnormal, suspicious, and malicious activities, as well as to specifically defined “security events.” As always, it is important to take into account the privacy interests and rights of internal and external users when considering the implementation of such tools.
  1. Assess and Decide. Qualify the incident.

After evaluating the information detected and reported on, determine whether the particular event rises to the level of an incident, and whether notification of competent authorities or individuals is required under law. Document the incident in an internal registry with facts about the violation, its effects and remediation measures taken.

  1. Resolve and notify.

Deal with the incident by:

  • Identifying and implementing measures to reduce its effects; and
  • Notifying competent authorities.

Use available notification forms provided by competent authorities, such as:

  1. Draw Lessons. Prevent recurrence.
  • Identify deficiencies and correct them, to reduce the risk of recurrence.
  • Review identified risks and update data protection impact assessments (DPIAs) accordingly.

CNIL is also creating a new teleservice, to be operational beginning in May 2018, for reporting “personal data breaches” under the GDPR. The service will allow data controllers to report meet their Article 33 notification obligations in an online format.

How OneTrust Helps

OneTrust is the leading and fastest growing privacy management software platform used by hundreds of organisations globally to comply with data privacy regulations across sectors and jurisdictions, including the EU GDPR and Privacy Shield.

Our comprehensive, integrated, technology-based solutions include readiness and privacy impact assessments, data inventory and mapping automation, website scanning and consent management, subject rights requests, incident reporting, and vendor risk management.

With OneTrust, you can maintain incident and breach records, evaluate against notification requirements, and analyze overall risk with connections to underlying data inventory. Build a systematic process to document the incident, understand if it has resulted in a breach, analyse harm to the individual and determine if a notification to the supervisory authority or the data subject.