Burger

IAPP Webinar on Data Breach

Gary LaFever
Written by Gary LaFever
Published Oct 19, 2022
Blog   |    min read
Watch the recording of this IAPP webinar and read the session key highlights

Statutory Pseudonymisation helps to reduce reporting obligations and liability under the GDPR when personal data is compromised.
IAPP Webinar on Data Breach LinkedIn Logo
  • GDPR Article 25(1) obligates parties to “implement appropriate technical and organisational measures, such as pseudonymisation.”
  • GDPR Article 25(2) obligates parties to “implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
  • GDPR Recital 78 uses “pseudonymising data as soon as possible” as an example of such a measure.
  • GDPR Article 32 explicitly recognises pseudonymisation and encryption as measures to be considered when “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk."
  • Under GDPR Articles 33 and 34, pseudonymisation may mean that a data incident is “unlikely to result in a risk to the rights and freedoms of natural persons,” and thus not a data breach requiring notification to supervisory authorities or data subjects.
In the US, state and federal laws and regulations require organisations to implement reasonable security measures to safeguard personal data. Examples include:

  • New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”);
  • Massachusetts’ 201 CMR 17.00; HIPAA’s Security Rule; and
  • California provides consumers with a private right of action and statutory damages of between $100 and $750 “per consumer per incident or actual damages, whichever is greater.”
However, state breach notification laws often define encrypted or “otherwise unusable” data as not requiring breach notification to either regulators or affected individuals.

And HIPAA requires covered entities to notify patients when their unsecured protected health information (“PHI”) is impermissibly used or disclosed unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised. As part of any risk assessment performed under HIPAA, pseudonymisation could help establish this “low probability.”

Join us for this IAPP webinar on October 26th at 10 AM ET/ 4 PM CET to learn how Statutory Pseudonymisation can be a powerful tool for satisfying these requirements and how it can allow companies to protect personal data without rendering that data unusable

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.