With less than three months until the General Data Protection Regulation 2016/279 (GDPR) comes into effect on 25 May 2018, the Article 29 Working Party (WP29) published revised guidelines on personal data breach notification (Guidelines). You may well remember our recent blog covering the Guidelines when the WP29 issued its initial guidance on 3 October 2017.
The revised Guidelines are largely similar, so in this blog, we provide a recap of the Guidelines regarding personal data breach notification requirements under GDPR.
Personal data breach
The WP29 has provided that a personal data breach – that is, a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data – can be categorised as follows:
- Confidentiality breach: unauthorised or accidental disclosure or access to personal data.
- Integrity breach: unauthorised or accidental alteration of personal data.
- Availability breach: accidental or unauthorised loss of access or destruction of personal data.
The WP29 emphasises that an availability breach may be more difficult to determine, and stresses further that the controller will need to assess the likelihood and severity of the impact of the lack of availability to the individual(s) concerned. In the revised Guidelines, the WP29 highlights that a breach involving the temporary loss of availability should still be documented as a breach (in accordance with Article 33(5), GDPR) despite whether it is notifiable to the supervisory authority and/or individuals. Of course, controllers should establish an internal register of breaches and document the reasons for the decisions taken in response to any breach, particularly if a breach is not notified.
Controllers are required to notify a personal data breach to the supervisory authority within 72 hours after having become aware of it.
WP29 has said that a controller becomes “aware” when it has a “reasonable degree of certainty” that a security incident has occurred that led to personal data being compromised. Essentially, controllers are required to ensure they have appropriate technical protection and organisational measures in place to establish immediately whether a data breach has occurred. Controllers, therefore, need to ensure they are “aware” of any breaches in a timely manner to take appropriate action.
This includes ensuring that any processor notifies the controller “without undue delay” after becoming aware of a breach to assist the controller in meeting its notification obligations. Controller should therefore review their agreements with service providers to ensure the timeframes are aligned to meet these requirements.
The Guidelines provide that notifications to the supervisory authority should include details of the types of individuals, together with approximate numbers of individuals affected and personal data records concerned, where precise details are not available. All communication to individuals must be in clear and plain language and include most of the information that should be reported to the supervisory authority.
Breaches at non-EU establishments
The WP29 addresses the extra-territorial application of GDPR to non-EU established organisations. These revised Guidelines stress that by reason of Article 3 of the GDPR, if an organisation experiences a personal data breach concerning personal data originating in the EU, they are also required to notify the supervisory and/or individuals concerned in line with Articles 33 and 34 of the GDPR. Controllers based outside of the EU and subject to Article 3(2) are required to appoint a representative in the EU (Article 27, GDPR). The WP29 therefore recommends that notifications should be made to the supervisory authority where the controller’s representative is based.
How to prepare
It is important that organisations prepare for these new strict requirements under GDPR. Organisations should have a documented procedure in place which allows for detecting, investigation and reporting personal data breaches. Of course, a failure to notify a personal data breach when required to do so could lead to a fine of up to €10 million or 2 per cent of worldwide annual turnover, whichever is greater. A failure to notify a breach could reveal either an absence or inadequacy of existing security measures, which could attract a separate fine.
The Information Commissioner’s Office (ICO) in particular is already showing signs of preparing for dealing with personal data breach notifications by opening a new personal data breach helpline. The ICO reported that it had seen a rise in the number of breaches being reported by 19 per cent in the last three months of 2017. This provides an indication that other organisations are already preparing for GDPR.