What does Uber’s breach tell us about the GDPR and data security?

It’s crime enough that hackers stole from Uber the personal information of millions of drivers and passengers, but concealing the breach, as Uber did for more than a year, would also be a serious transgression of the law under the European Union’s new General Data Protection Regulation (GDPR) which comes into effect in May 2018.

Under the GDPR, companies are required to have processes in place to report a data breach to their supervisory authority within 72 hours of becoming aware of it. And this will apply to all companies collecting, storing or processing personal information belonging to EU residents.

So it doesn’t matter that Uber is a US company. If just some of the 57 million records hacked belonged to EU residents, then the company would be liable under the GDPR.

Uber’s CEO, Dara Khosrowshahi, says the company implemented security measures to “restrict access to and strengthen controls on our cloud-based storage accounts,” but it’s become clear that for cloud-based businesses improving the safety of internal systems is no longer enough.

Companies are responsible for an additional level of care if they collect, store or process personal information on EU data subjects. Apart from disclosing the data breach within 72 hours of being aware of it, companies also need to notify the affected individuals if the information is sensitive.

All companies using cloud-based systems therefore need to have a complete understanding – an inventory or data map – of the personal data they hold and how it’s shared in the cloud.

Transparency is a defining principle under the new data privacy legislation, and companies will no longer get away with hiding incidents where data has been compromised. Breaches are a fact of life and will continue to happen, so companies need to respond quickly, not only to resolve them, but also to inform the relevant authorities about them.

A compelling thought is that, if the GDPR was already in place, GDPR fines may not be the biggest damage to Uber or any other company experiencing a similar size of data breach. The greater cost to cloud-based companies is the reputational damage done and the potential loss of customers.

So companies should consider that before complaining about having to become compliant with the new data protection regulation. By putting systems in place to manage data breaches, companies will prepare themselves for GDPR readiness and the related compliance requirements while protecting themselves from the risk of a bad reputation.