The Article 29 Data Protection Working Party (‘A29WP’) recently issued guidelines on personal data breach reporting under the General Data Protection Regulation (‘GDPR’).
The GDPR obliges data controllers to report personal data breaches to data protection authorities within 72 hours unless the breach is ‘unlikely to result in a risk to the rights and freedoms’ of individuals (Article 33(1)). If there is a high risk then the individuals concerned must also be contacted without undue delay (Article 34(1)). Data processors must report breaches to data controllers.
Failure to report a breach would attract a fine within the second tier of the sanctions imposed, that is, of up to 2% of worldwide turnover, or 10 million Euros, whichever is greater.
The guidelines indicate the following:
(1) If a personal data breach indicates a wider failing in security measures then this may attract a separate 2% sanction.
(2) The 72-hour countdown begins from the moment the data controller becomes “aware of the breach”. The A29WP states that this requires a reasonable degree of certainty that a security incident has occurred, leading to personal data being compromised. It recognises that some cases may be less clear than others.
(3) Investigation by the controller must begin as soon as possible to establish whether or not a breach has taken place, which should be completed soon after the initial alert. During the period of investigation the controller is not “aware” for the purposes of the countdown.
(4) The GDPR does not specify an explicit time limit for processors to alert controllers of breaches, but simply states that controllers should be informed “without undue delay” (Article 33(2)). The A29WP recommends an immediate notification with further information about the breach provided in phases, as it becomes available.
(5) In certain situations, for example where there is an immediate threat of identity theft, the controller will need to notify affected individuals without delay. Notification to the supervisory authority cannot be used as a justification for failing to communicate breaches to a data subject.
(6) Notification to data subjects should be through transparent methods of communication. Notifications confined to press releases or corporate blogs will not be considered sufficient.
(7) A controller may submit a “bundled” notification if there are multiple, similar confidentiality breaches over a short period of time, which affects large numbers of data subjects.
(8) Even where there has been a personal data breach of data that is encrypted, such a loss or alteration may still have negative consequences for data subjects (for example where the controller has no adequate backup of the encrypted data) and if so, they would need to be informed.
(9) Whether or not data is suitably encrypted will depend on the proper implementation of encryption, the level of protection it provides, whether it is up-to-date and whether it is appropriate to the risks presented.
(10) To show compliance with Articles 33 and 34, it would be advantageous to both controllers and processors to have a documented notification procedure in place and to demonstrate that employees have been informed about them.
(11) There is no penalty for reporting an incident that ultimately turns out not to be a breach.
(12) Factors to consider when assessing the risk of a breach to the rights and freedoms of individuals (which is an objective assessment):
· the type of breach;
· the nature, sensitivity, and volume of personal data;
· the ease of identification of individuals;
· the severity of consequences for individuals;
· special characteristics of the individual;
· the number of affected individuals;
· special characteristics of the data controller.
Annex A in the guidelines has a flowchart showing notification requirements.
Annex B in the guidelines gives a non-exhaustive list of examples of when a breach may be likely to result in a high risk to individuals.
The guidelines can be downloaded here from the European Commission’s website.
If you would like any further information or advice, I can be contacted at: firstname.lastname@example.org