There's not significant change in terms of the preventative security requirements except that it does receive security in general, it does receive additional attention in the GDPR. However, the requirements are still open to interpretation and a decision would be made based upon the type of organization and its means in terms of the type of security it must be implementing.

I'll quote the law because I think this is helpful. This is how you'll make a determination about what type of security obligations you must undertake. Taking into account the state of the art, the cost of implementation, a cost benefit analysis, the nature scope context and purposes of the processing as well as the risk of the varying likelihood and severity for the rights and freedoms of natural persons.

The controller and the processor should implement or shall implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risk. An account should be taken in particular to risks that are presented by processing which could lead to physical material or even non material damage.

It's a great language, but in some ways there's no prescriptive requirements that you see here under the law. There are suggestions, the recitals which is the introduction of the law that discusses some measures that an organization can take and that we've listed here on the slide such as pseudonymization and use of encryption, ensuring the confidentiality, integrity and availability and resilience of your IT systems.

The ability to restore availability and access and then regular testing of security measures if you are a financial services firm or a fintech, you are really likely to be a well in your way to be compliant with the GDPR because you are probably subject to additional regulations that would already implement pretty high security standards, but nonetheless, we highlight this just for your keeping in mind. Next slide please.

Next is the reactive measures. Here is the change under the GDPR. Their prescriptive requirements when you must notify various entities when you've encountered a security breach. There are new breach notification obligations. You must notify, in Ireland for example, the DPC, the Data Protection Commissioner or if you're in another jurisdiction of the equivalent data protection authority without undue delay and were feasible within 72 hours if a breach is likely to result in a risk.

You don't need to do it if it's unlikely to result in a risk to the rights and freedoms of the data subject. This is again not as prescriptive as maybe one would like because you want a black and white answer. Best practice would be probably to notify the DPC if you're unsure, but again you would have to seek a counsel as of your DPO if you have one or outside counsel if there is a security breach and just to keep and that there probably will be as we ... We need to just assume that security breaches will happen because they do happen on a regular basis and it's best to be prepared.

Also, to keep in mind that security breach does not necessarily mean a hack into your system. It could be something as simple as taking paper files outside of a firm and having another outsider being able to view that. That would be consider a security breach as well. A processor if it's not a data controller, but a processor must notify the controller if there is a security breach without undue delay.

That's a direct obligation under the law. You must notify data subjects if data subjects are not the DPC so it's likely to result in a high risk to the privacy and fundamental rights. You must document those breaches and you should have a security breach response plan in place already and hopefully be able to ... At the end, be able to evaluate what went well and what could be improved.

For some of you that are regulated by financial services regulations and you may have a dual notification requirement depending upon the security breach and if you're in Ireland, you will have to contact the national cyber security center and also just to keep in mind, there will be new network and information security directive, we'll also have new notification obligations for any cyber security breaches that arise so you should pay attention to this as well.