On 3 October 2017, the Article 29 Working Party (“WP29”) published draft guidelines on personal data breach notification (“Guidelines”) under the General Data Protection Regulation 2016/279 (“GDPR”). In this blog, we look at some of the key concepts that are considered in the Guidelines regarding the mandatory breach notification and communication requirements of the GDPR.
What is a personal data breach?
Article 4(12) of the GDPR broadly defines this as a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data. WP29 explains that security breaches can be categorised according to the following three principles:
- Confidentiality breach: unauthorised or accidental disclosure or access to personal data
- Integrity breach: unauthorised or accidental alteration of personal data
- Availability breach: unauthorised or accidental loss of access or destruction of personal data
WP29 notes that an availability breach may be less obvious. Where, however, there has been a permanent loss or destruction of personal data, this will always qualify as an availability breach.
When do you need to notify the supervisory authority?
Article 33(1) of the GDPR requires controllers to notify a personal data breach to the supervisory authority within 72 hours after having become aware of it.
WP29 considers that a controller becomes “aware” when it has a reasonable degree of certainty that a security incident has occurred that led to personal data being compromised. For example:
- Loss of unencrypted CD – controller becomes aware when it realises the CD is lost despite not knowing if unauthorised persons gained access to the data
- Third party informs controller they have accidentally received a customer’s personal data – controller becomes aware as soon as it has been informed
- Cybercriminal contacts controller with ransom demand after hacking its system – controller becomes aware immediately
What information needs to be reported to the supervisory authority?
Further to Article 33(3) of the GDPR, WP29 suggests that notifications should include details of the types of individuals, together with approximate numbers of individuals affected and personal data records concerned, where precise details are not available.
When do you need to notify individuals?
Individuals must be informed where there is likely to be a high risk to their rights and freedoms as a result of the breach. All communication to individuals must be in clear and plain language and include most of the information that should be reported to the supervisory authority.
What about processor obligations?
Article 33(2) of the GDPR requires a processor to notify the controller “without undue delay” after becoming aware of a breach. Conversely, WP29 recommends that a processor should be required to notify the controller immediately to help the controller meet its notification obligations within 72 hours.
Accordingly, and subject to the final version of the Guidelines, it may be good practice for companies to review the timeframes specified in their agreements with service providers.
Sanctions for non-compliance
Failure to notify a personal data breach can lead to a fine of up to 2% of worldwide annual turnover. However, WP29 notes that the failure to notify a breach could reveal either an absence or inadequacy of existing security measures, which could attract a separate, additional fine of up to 2% for failing to comply with Article 32 of the GDPR. It is therefore important for controllers to properly consider the systems they have in place to manage breach reporting.
When does the supervisory authority not need to be notified?
A breach does not need to be reported to the supervisory authority if it is “unlikely to result in a risk to the rights and freedoms of natural persons” (Article 33(1) of the GDPR). For example:
- A breach involving personal data that was already publicly available does not need to be notified where there is no risk to the individual.
- A breach concerning loss of encrypted data would not need to be reported, providing state of the art algorithms have been used and the key was not compromised. If, however, the key was subsequently found to be compromised, the risk would need to be re-evaluated and notification may be required.
Which supervisory authority do you need to notify?
If a breach affects the personal data of individuals in more than one Member State, controllers will need to notify the lead supervisory authority. An assessment regarding the lead supervisory authority should be made by controllers when drafting their breach response plan.
The GDPR requires controllers to document any personal data breaches regardless of whether or not a breach needs to be notified. Further, controllers should establish an internal register of breaches and document the reasons for the decisions taken in response to a breach, particularly if a breach is not notified.
Whilst the Guidelines are still in draft form and open for public consultation until 28 November 2017, they provide a useful starting point. Given the amount of work involved and potential liability for failure to notify, businesses should start putting in place processes to be able to detect and promptly contain data breaches, assess the risk, and determine if notification to the supervisory authority or individuals is required.