Helping Businesses prepare for the GDPR and breach notifications Sample Clauses

Helping Businesses prepare for the GDPR and breach notifications. The GDPR, which comes into force on 25 May 2018, will considerably strengthen the existing rules and responsibilities around how businesses process and safeguard consumer data. The GDPR enshrines fundamental privacy rights for consumers, such as “the right to be forgotten” and the right to object to profiling activities, which businesses have to comply with. • Lloyds of London provide illuminating pointers on how businesses are preparing for the GDPR81. The GDPR should become a lever for all companies to adopt a risk management strategy that enables them to ensure data is adequately protected. o Despite the implications of the GDPR, the survey found that 57% of business leaders admit not fully understanding the potential implications of the GDPR on their company, with 12 months to go before the rules come into force. o 97% of respondents have heard of the GDPR but only 7% report knowing a “great deal” about it, while 64% are aware it could result in an investigation of their business and 58% aware of the financial penalties. o In the light of the GDPR, there is no room for complacency. Businesses also need to accelerate breach identification as hackers can roam the network undetected and cause unlimited damage. There will be a large number of organisation unaware that they have been or are being attacked at any given time. o The GDPR will force organisations to comply with a mandatory breach notification window, which places additional pressure on business to spot and disclose a breach within 72 hours. This necessitates a deep understanding of all activity happening across the entire network, at all times. Clearly the GDPR cannot be ignored. The figure below shows the extent to which business and IT leaders in 3 European countries are not yet GDPR-ready. 81 xxxx://xxx.xxxxxxxxxxxxxxxxxxxx.xxx/news/xxxxx-s-survey-facing-the-cyber-risk-challenge/.
Sample 1
AutoNDA by SimpleDocs

Related to Helping Businesses prepare for the GDPR and breach notifications

  • Handling Sensitive Personal Information and Breach Notification A. As part of its contract with HHSC Contractor may receive or create sensitive personal information, as section 521.002 of the Business and Commerce Code defines that phrase. Contractor must use appropriate safeguards to protect this sensitive personal information. These safeguards must include maintaining the sensitive personal information in a form that is unusable, unreadable, or indecipherable to unauthorized persons. Contractor may consult the “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” issued by the U.S. Department of Health and Human Services to determine ways to meet this standard. B. Contractor must notify HHSC of any confirmed or suspected unauthorized acquisition, access, use or disclosure of sensitive personal information related to this Contract, including any breach of system security, as section 521.053 of the Business and Commerce Code defines that phrase. Contractor must submit a written report to HHSC as soon as possible but no later than 10 business days after discovering the unauthorized acquisition, access, use or disclosure. The written report must identify everyone whose sensitive personal information has been or is reasonably believed to have been compromised. C. Contractor must either disclose the unauthorized acquisition, access, use or disclosure to everyone whose sensitive personal information has been or is reasonably believed to have been compromised or pay the expenses associated with HHSC doing the disclosure if: 1. Contractor experiences a breach of system security involving information owned by HHSC for which disclosure or notification is required under section 521.053 of the Business and Commerce Code; or 2. Contractor experiences a breach of unsecured protected health information, as 45 C.F.R. §164.402 defines that phrase, and HHSC becomes responsible for doing the notification required by 45 C.F.R. §164.404. HHSC may, at its discretion, waive Contractor's payment of expenses associated with HHSC doing the disclosure.

  • Certification Regarding Business with Certain Countries and Organizations Pursuant to Subchapter F, Chapter 2252, Texas Government Code, PROVIDER certifies it is not engaged in business with Iran, Sudan, or a foreign terrorist organization. PROVIDER acknowledges this Purchase Order may be terminated if this certification is or becomes inaccurate.

  • Personal Data Breach Notification SAP will notify Customer without undue delay after becoming aware of any Personal Data Breach and provide reasonable information in its possession to assist Customer to meet Customer’s obligations to report a Personal Data Breach as required under Data Protection Law. SAP may provide such information in phases as it becomes available. Such notification shall not be interpreted or construed as an admission of fault or liability by SAP.

  • Prevention or Delay of Performance by the Company or the Depositary Neither the Depositary nor the Company nor any of their respective directors, employees, agents or affiliates shall incur any liability to any Owner or Holder: (i) if by reason of (A) any provision of any present or future law or regulation or other act of the government of the United States, any State of the United States or any other state or jurisdiction, or of any governmental or regulatory authority or stock exchange; (B) (in the case of the Depositary only) any provision, present or future, of the articles of association or similar document of the Company, or any provision of any securities issued or distributed by the Company, or any offering or distribution thereof; or (C) any event or circumstance, whether natural or caused by a person or persons, that is beyond the ability of the Depositary or the Company, as the case may be, to prevent or counteract by reasonable care or effort (including, but not limited to, earthquakes, floods, severe storms, fires, explosions, war, terrorism, civil unrest, labor disputes, criminal acts or outbreaks of infectious disease; interruptions or malfunctions of utility services, Internet or other communications lines or systems; unauthorized access to or attacks on computer systems or websites; or other failures or malfunctions of computer hardware or software or other systems or equipment), the Depositary or the Company is, directly or indirectly, prevented from, forbidden to or delayed in, or could be subject to any civil or criminal penalty on account of doing or performing and therefore does not do or perform, any act or thing that, by the terms of this Deposit Agreement or the Deposited Securities, it is provided shall be done or performed; (ii) for any exercise of, or failure to exercise, any discretion provided for in this Deposit Agreement (including any determination by the Depositary to take, or not take, any action that this Deposit Agreement provides the Depositary may take); (iii) for the inability of any Owner or Holder to benefit from any distribution, offering, right or other benefit that is made available to holders of Deposited Securities but is not, under the terms of this Deposit Agreement, made available to Owners or Holders; or (iv) for any special, consequential or punitive damages for any breach of the terms of this Deposit Agreement. Where, by the terms of a distribution to which Section 4.1, 4.2 or 4.3 applies, or an offering to which Section 4.4 applies, or for any other reason, that distribution or offering may not be made available to Owners, and the Depositary may not dispose of that distribution or offering on behalf of Owners and make the net proceeds available to Owners, then the Depositary shall not make that distribution or offering available to Owners, and shall allow any rights, if applicable, to lapse.

  • Reportable Events Involving the Xxxxx Law Notwithstanding the reporting requirements outlined above, any Reportable Event that involves solely a probable violation of section 1877 of the Social Security Act, 42 U.S.C. §1395nn (the Xxxxx Law) should be submitted by Practitioner to CMS through the self-referral disclosure protocol (SRDP), with a copy to the OIG. If Practitioner identifies a probable violation of the Xxxxx Law and repays the applicable Overpayment directly to the CMS contractor, then Practitioner is not required by this Section III.G to submit the Reportable Event to CMS through the SRDP.

  • Security Breach Notice and Reporting The Contractor shall have policies and procedures in place for the effective management of Security Breaches, as defined below, which shall be made available to the State upon request.

  • BREACH DISCOVERY AND NOTIFICATION 17 1. Following the discovery of a Breach of Unsecured PHI, CONTRACTOR shall notify 18 COUNTY of such Breach, however both parties agree to a delay in the notification if so advised by a 19 law enforcement official pursuant to 45 CFR § 164.412. 20 a. A Breach shall be treated as discovered by CONTRACTOR as of the first day on which 21 such Breach is known to CONTRACTOR or, by exercising reasonable diligence, would have been 22 known to CONTRACTOR. 23 b. CONTRACTOR shall be deemed to have knowledge of a Breach, if the Breach is 24 known, or by exercising reasonable diligence would have known, to any person who is an employee, 25 officer, or other agent of CONTRACTOR, as determined by federal common law of agency. 26 2. CONTRACTOR shall provide the notification of the Breach immediately to the COUNTY 27 Privacy Officer. CONTRACTOR’s notification may be oral, but shall be followed by written 28 notification within twenty four (24) hours of the oral notification. 29 3. CONTRACTOR’s notification shall include, to the extent possible: 30 a. The identification of each Individual whose Unsecured PHI has been, or is reasonably 31 believed by CONTRACTOR to have been, accessed, acquired, used, or disclosed during the Breach; 32 b. Any other information that COUNTY is required to include in the notification to 33 Individual under 45 CFR §164.404 (c) at the time CONTRACTOR is required to notify COUNTY or 34 promptly thereafter as this information becomes available, even after the regulatory sixty (60) day 35 period set forth in 45 CFR § 164.410 (b) has elapsed, including: 36 1) A brief description of what happened, including the date of the Breach and the date 37 of the discovery of the Breach, if known; 1 2) A description of the types of Unsecured PHI that were involved in the Breach (such 2 as whether full name, social security number, date of birth, home address, account number, diagnosis, 3 disability code, or other types of information were involved); 4 3) Any steps Individuals should take to protect themselves from potential harm 5 resulting from the Breach; 6 4) A brief description of what CONTRACTOR is doing to investigate the Breach, to 7 mitigate harm to Individuals, and to protect against any future Breaches; and 8 5) Contact procedures for Individuals to ask questions or learn additional information, 9 which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. 10 4. COUNTY may require CONTRACTOR to provide notice to the Individual as required in 11 45 CFR § 164.404, if it is reasonable to do so under the circumstances, at the sole discretion of the 12 COUNTY. 13 5. In the event that CONTRACTOR is responsible for a Breach of Unsecured PHI in violation 14 of the HIPAA Privacy Rule, CONTRACTOR shall have the burden of demonstrating that 15 CONTRACTOR made all notifications to COUNTY consistent with this Subparagraph F and as 16 required by the Breach notification regulations, or, in the alternative, that the acquisition, access, use, or 17 disclosure of PHI did not constitute a Breach. 18 6. CONTRACTOR shall maintain documentation of all required notifications of a Breach or 19 its risk assessment under 45 CFR § 164.402 to demonstrate that a Breach did not occur. 20 7. CONTRACTOR shall provide to COUNTY all specific and pertinent information about the 21 Breach, including the information listed in Section E.3.b.(1)-(5) above, if not yet provided, to permit 22 COUNTY to meet its notification obligations under Subpart D of 45 CFR Part 164 as soon as 23 practicable, but in no event later than fifteen (15) calendar days after CONTRACTOR’s initial report of 24 the Breach to COUNTY pursuant to Subparagraph F.2. above. 25 8. CONTRACTOR shall continue to provide all additional pertinent information about the

  • Breach Notification a. In the event of a Breach of unsecured PHI or disclosure that compromises the privacy or security of PHI obtained from DSHS or involving DSHS clients, Business Associate will take all measures required by state or federal law. b. Business Associate will notify DSHS within one (1) business day by telephone and in writing of any acquisition, access, Use or disclosure of PHI not allowed by the provisions of this Contract or not authorized by HIPAA Rules or required by law of which it becomes aware which potentially compromises the security or privacy of the Protected Health Information as defined in 45 CFR 164.402 (Definitions). c. Business Associate will notify the DSHS Contact shown on the cover page of this Contract within one (1) business day by telephone or e-mail of any potential Breach of security or privacy of PHI by the Business Associate or its Subcontractors or agents. Business Associate will follow telephone or e-mail notification with a faxed or other written explanation of the Breach, to include the following: date and time of the Breach, date Breach was discovered, location and nature of the PHI, type of Breach, origination and destination of PHI, Business Associate unit and personnel associated with the Breach, detailed description of the Breach, anticipated mitigation steps, and the name, address, telephone number, fax number, and e-mail of the individual who is responsible as the primary point of contact. Business Associate will address communications to the DSHS Contact. Business Associate will coordinate and cooperate with DSHS to provide a copy of its investigation and other information requested by DSHS, including advance copies of any notifications required for DSHS review before disseminating and verification of the dates notifications were sent. d. If DSHS determines that Business Associate or its Subcontractor(s) or agent(s) is responsible for a Breach of unsecured PHI: (1) requiring notification of Individuals under 45 CFR § 164.404 (Notification to Individuals), Business Associate bears the responsibility and costs for notifying the affected Individuals and receiving and responding to those Individuals’ questions or requests for additional information; (2) requiring notification of the media under 45 CFR § 164.406 (Notification to the media), Business Associate bears the responsibility and costs for notifying the media and receiving and responding to media questions or requests for additional information; (3) requiring notification of the U.S. Department of Health and Human Services Secretary under 45 CFR § 164.408 (Notification to the Secretary), Business Associate bears the responsibility and costs for notifying the Secretary and receiving and responding to the Secretary’s questions or requests for additional information; and (4) DSHS will take appropriate remedial measures up to termination of this Contract.

  • COMPLIANCE WITH BREACH NOTIFICATION AND DATA SECURITY LAWS Contractor shall comply with the provisions of the New York State Information Security Breach and Notification Act (General Business Law § 899-aa and State Technology Law § 208) and commencing March 21, 2020 shall also comply with General Business Law § 899-bb.

  • NOTIFICATION OF PUBLIC EVENTS AND MEETINGS 2 A. CONTRACTOR shall notify ADMINISTRATOR of any public event or meeting funded in 3 whole or in part by the COUNTY, except for those events or meetings that are intended solely to serve 4 clients or occur in the normal course of business. 5 B. CONTRACTOR shall notify ADMINISTRATOR at least thirty (30) business days in advance 6 of any applicable public event or meeting. The notification must include the date, time, duration, 7 location and purpose of the public event or meeting. Any promotional materials or event related flyers 8 must be approved by ADMINISTRATOR prior to distribution. 9

Draft better contracts in just 5 minutes Get the weekly Law Insider newsletter packed with expert videos, webinars, ebooks, and more!