The General Data Protection Regulation (“GDPR”) requires organizations to notify a personal data breach with adverse consequences to the competent national supervisory authority and possibly to the relevant individuals. The Article 29 Working Party (“WP”) has on 17 October 2017 published the long awaited guidance on this data breach notification requirement. This article briefly discusses the when, what and how of breach notifications requirements according to the WP’s guidelines.
The GDPR imposes stricter obligations on organisations to ensure the security of personal data. The breach notification is introduced as one of the means to meet this objective. The WP’s (consisting of representatives of the data protection authorities) proposed guidelines are open to public comment until 28 November 2017, after which they will be adopted: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083
Notification to the supervisory authority
When? The data breach must be notified if it is likely to result in a risk to the rights and freedoms of natural persons, for example if there was an availability breach (no back-ups) which could entail adverse consequences for individuals.
If these criteria are met, controllers are required to notify the competent supervisory authority ‘without undue delay and where feasible no later than 72 hours after having become aware of it’. A controller ‘becomes aware’ when it has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. The controller should act on any initial alert and investigate as soon as possible. Only once the investigation is finalised and it has established a breach, the controller is deemed ‘aware’ and should notify the authority. If the controller makes use of a processor and the processors becomes aware of a breach, the controller is considered to be aware once the processor has become aware. If such processor becomes aware of a breach, it must notify the controller without undue delay. Make sure to include relevant clauses in this respect in your processing agreement.
What? The notification to the supervisory authority should contain (i) a description of the nature of the breach and related details, (ii) the contact details of the data protection officer (if any), (iii) the likely consequences and (iv) the measures taken to address the breach. If no full and comprehensive details are available within 72 hours, the notification may be provided in phases. The controller must agree with the authority how and when such additional information should be provided.
Notification to the individual
When? The data breach must be communicated to data subjects if it is likely to result in a high risk to the rights and freedoms of individuals. Examples hereof are discrimination, identity theft or fraud, financial loss and damage to reputation.
What? The same information as indicated above, and if possible, any proposed measures to mitigate any adverse effects, such as resetting passwords in case access credentials have been compromised.
How? The controller should communicate directly with the individual unless this requires disproportionate effort. Public communication or similar measures are permissible in such case.
Risk assessment to determine notification requirement: A controller must always assess the risk in case of a breach as this is the key trigger for the notification requirement. A breach constitutes a risk when it leads to physical, material or non-material damage for the individuals. A risk assessment should consider the following criteria: type of breach; nature, sensitivity, and volume of personal data; ease of identification of individuals; severity of consequences for individuals; special characteristics of individuals; number of affected individuals; and special characteristics of the controller.
Data breach register: Regardless of whether notification requirements are applicable or not, controllers must document all breaches and keep an internal register.
Non-compliance can result in sanctions or an administrative fine of up to EUR 10,000,000 or 2% of the worldwide annual turnover.
Similar notification requirements under other legislation: Controllers should also be aware of any other breach notification requirements under other applicable legislation, such as the eIDAS Regulation, the NIS Directive, the Citizens’ Rights Directive and the Breach Notification Regulation as well as professional, medical, or legal notification duties.