The General Data Protection Regulation (GDPR) introduces a mandatory requirement on a data controller to report certain personal data breaches to its supervisory authority and, in some circumstances, the affected data subjects. The Article 29 Working Party (WP) recently released draft guidelines containing detailed commentary and examples of personal data breaches and the notification requirements.
What is a ‘personal data breach’?
First things first, what exactly is a personal data breach? The GDPR defines it as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The WP guidelines draw a distinction between security incidents and personal data breaches. A personal data breach will always be a security incident but not all security incidents will be personal data breaches.
The WP has explained that breaches can be categorised according to the following principles and gives examples of a breach:
(i) Confidentiality – an unauthorised or accidental disclosure of, or access to, personal data.
(ii) Integrity – an unauthorised or accidental alteration of personal data.
(iii) Availability – unauthorised or accidental loss of access to, or destruction of, personal data e.g. deletion of data accidentally or by an unauthorised person, a lost decryption key in the case of encrypted data, or unavailability due to a power failure or service attack.
It is important to note that an availability breach may occur even if data is only temporarily lost or unavailable, although such a breach may not need to be notified unless it is likely to result in a risk to the rights of individuals in the given circumstances.
When do you need to notify?
Not all personal data breaches need to be notified to a supervisory authority. The notification obligations under the GDPR are only triggered when there is a breach of personal data which is likely to result in a risk to the rights and freedoms of individuals. The GDPR recitals explain that such a risk exists when the breach may lead to physical, material or non-material damage for data subjects such as:
- identity theft or fraud;
- financial loss; or
- damage to reputation.
The WP state that an assessment of risk requires objective consideration of the likelihood and the severity of risk to rights. The factors relevant as part of this assessment are:
- the type of breach;
- the nature, sensitivity, and volume of the personal data in question;
- the ease of identification of individuals; the severity of consequence for individuals;
- the special characteristics of the individual(s) – e.g. a breach affecting vulnerable individuals may place them at a greater risk of harm;
- the number of affected individuals; and
- the special characteristics of the data controller – there is a greater threat if, for example, a medical organisation which processes sensitive data is breached.
Annex B to the WP guidelines provides examples of different types of breaches involving risk.
A notification to a supervisory authority is not required if there is unlikely to be a risk to the rights and freedoms of individuals. The WP gives an example of where a securely encrypted mobile device is lost but the organisation retains the encryption key and adequate backup copies of the lost data.
Who do you need to notify?
Where a breach affects individuals in more than one member state, the controller will need to notify its lead supervisory authority. It can also report an incident to a supervisory authority (which is not its lead authority) in a member state where individuals have been affected. However, this appears to be optional rather than mandatory and if the controller chooses not to do so, it should indicate to its lead supervisory authority in which member states data subjects are likely to have been affected.
How long do you have to notify?
The GDPR states that notification of a personal data breach to a supervisory authority must occur “not later than 72 hours after [the controller has become] aware of it”. So, when is a controller deemed to be ‘aware’ of a breach? The WP suggests that it is once a controller has a ‘reasonable degree of certainty’ that a security incident has occurred which has caused personal data to be compromised. The examples in the guidelines suggest that a reasonable degree of certainty is reached once the controller is presented with clear evidence of a breach e.g. on loss of an unencrypted CD the controller would be aware as soon as it realised the CD was lost as it is often not possible to ascertain whether unauthorised access has been gained.
In some circumstances, it may take time to establish the required level of certainty; the guidelines allow for a short period of investigation before notification. Such an investigation should be prompt and its aim should be solely to determine whether there has been a breach and the possible consequences for individuals. A more detailed investigation can take place after notification.
What must the notification contain?
As a minimum, a notification to the competent supervisory authority must contain the nature of the breach (including, where possible, the categories and approximate number of data subjects and personal data records concerned) as well as contact details, the likely consequences of the breach and the measures taken or proposed to be taken by the controller.
In circumstances in which it is clear there has been a breach, but the controller has not gathered all the required information to make a notification, notification in phases and delayed notifications in appropriate exceptional circumstances may be made. In pursuing either of these options a controller is still required to explain the potential scope and cause of the breach and its plan to deal with the breach.
When do you need to notify an affected data subject?
For notification to affected data subjects, the determining factor is whether there is a high risk to the rights and freedoms of individuals. Again, Annex B to the guidelines contains a list of examples of when a breach may be high risk.
Affected data subjects must be notified “without undue delay” (which means as soon as possible according to the WP). This notification is intended to provide specific information to the data subjects about the steps they should take to protect themselves (e.g. changing passwords). The notification to a data subject should be in a dedicated message and be communicated in clear and plain language. The communication should, at the least, contain a description of the nature of the breach, contact details, the likely consequences of the breach and measures taken or proposed to be taken by the controller.
There are limited exceptions where a controller will not need to notify individuals including that (i) the controller has applied appropriate technical and organisational measures to protect the data prior to the breach (e.g. encryption), or (ii) immediately after the breach the controller has taken steps to ensure the high risk posed to data subjects is no longer likely to materialise, or (iii) it would involve disproportionate effort to contact individuals, for example, where their contact details have been lost as a result of the breach or were not known in the first place. In the case of (iii) a controller must instead make a public communication.
If a controller seeks to rely on one of these exceptions, it must be able to demonstrate to the competent supervisory authority how the exception applies.
What records do you need to keep?
The GDPR requires controllers to keep records of any personal data breaches, regardless of whether those breaches need to be notified or not. These records must contain details of the breach, its effects and consequences, and any remedial action taken. The WP also suggests documenting any reasons for decisions taken in response to a breach, for example, justification for not reporting a breach.
What are the sanctions?
The fine for a failure to report a breach can be up to the higher of 2% of worldwide turnover or €10 million. However, the WP stresses that a failure to notify may show systematic security failures. This would constitute a separate breach of the GDPR and attract a separate fine up to the same level.
Whilst the maximum fines under the GDPR are large, the UK’s Information Commissioner has recently stated in one of her “myth-busting” blogs that fines will be proportionate and will not be issued in the case of each infringement. The GDPR contains a list of factors for the supervisory authority to consider when determining whether to impose a fine and the amount of any fine. This includes the degree of co-operation by the controller with the supervising authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement.
How can organisations prepare?
Breach Identification Systems
The WP recommends that organisations have measures in place to effectively detect and respond to personal data breaches. This could include automated analyses of data flow and logs to identify irregular access, deletion or alteration of data. There should also be an incident response plan which outlines how a breach should be notified both internally and to the supervisory authority.
The WP examples show that the loss of properly encrypted data may absolve a company of the need to make a notification in the event of a personal data breach. When selecting encryption software, therefore, companies should ensure the quality is commensurate to the risks that may occur and understand the level of protection the software provides.
Service provider contracts
If there is a personal data breach within a service provider (i.e. a data processer), the WP considers that the data controller will be imputed with the awareness of the data processor. Based on the guidelines as they stand, it is therefore crucial that data controllers ensure that contracts with processers require service providers to notify the controller immediately once they become aware (i.e. they are reasonably certain) that a breach has occurred in order for the controller to meet the notification deadline.