On 3 October 2017, the Article 29 Working Party (“WP29”) published draft guidelines on personal data breach notification (“Guidelines”) under the General Data Protection Regulation 2016/279 (“GDPR”). In this blog, we look at some of the key concepts that are considered in the Guidelines regarding the mandatory breach notification and communication requirements of the GDPR.
What is a personal data breach?
Article 4(12) of the GDPR broadly defines this as a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data. WP29 explains that security breaches can be categorised according to the following three principles:
- Confidentiality breach: unauthorised or accidental disclosure or access to personal data
- Integrity breach: unauthorised or accidental alteration of personal data
- Availability breach: unauthorised or accidental loss of access or destruction of personal data
WP29 notes that an availability breach may be less obvious. Where, however, there has been a permanent loss or destruction of personal data, this will always qualify as an availability breach.
When do you need to notify the supervisory authority?
Article 33(1) of the GDPR requires controllers to notify a personal data breach to the supervisory authority within 72 hours after having become aware of it.
WP29 considers that a controller becomes “aware” when it has a reasonable degree of certainty that a security incident has occurred that led to personal data being compromised. For example:
- Loss of unencrypted CD – controller becomes aware when it realises the CD is lost despite not knowing if unauthorised persons gained access to the data
- Third party informs controller they have accidentally received a customer’s personal data – controller becomes aware as soon as it has been informed
- Cybercriminal contacts controller with ransom demand after hacking its system – controller becomes aware immediately