The new mandatory personal data breach notification regime introduced by the GDPR should be a key area of focus for organizations seeking to put in place GDPR compliance programs. Personal data breaches are not only increasingly frequent and on the front pages, they are also one of the most likely causes of complaints being made by individuals against an organization and most likely subjects of investigation by data protection authorities (“DPAs”). Regardless of whether an organization is at fault in allowing a breach to occur, its response will materially affect the impact of the breach on data subjects, and therefore the potential consequences for the organization itself. Personal data breach management – of which breach notification forms a large part – should therefore be a priority area in any organization’s compliance efforts, including with respect to the GDPR.
With only months left before the GDPR becomes fully applicable on May 25, 2018, many data controller organizations are already familiar with the GDPR’s requirements to:
- Notify personal data breaches likely to present a risk to data subjects to DPAs without undue delay, and within 72 hours if feasible, after becoming aware of the breach; and
- Communicate high-risk breaches to affected data subjects without undue delay.
More difficult to answer based on the text of the GDPR alone have been questions such as – what does it mean to be “aware” of a breach? What is the meaning of “undue delay” and in what circumstances are delays in notification justifiable? How should an organization assess “risk” to data subjects? When exactly are breaches considered unlikely to present a risk, such as to be exempted from mandatory notification? These are among the issues addressed in the Article 29 Working Party’s Guidelines on Personal data breach notification under Regulation 2016/679 (the “Guidelines”), adopted in October 2017 (full text here). We have set out below answers to these and other frequently asked questions regarding data breach notifications.
- What are personal data breaches?
The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. The Guidelines add that this includes even an incident that results in personal data being only temporarily lost or unavailable.
- What are the consequences of failing to notify a breach?
Under the GDPR, organizations can be fined up to EUR 10,000,000 or 2% of worldwide annual turnover, whichever is higher, for failing to notify a personal data breach. This may come on top of additional fines for failing to take adequate security measures to safeguard personal data, which can be up to EUR 20,000,000 or 4% of worldwide turnover (whichever is higher) in the most egregious cases where the failure amounts to a breach of fundamental data protection principles.
- How should organizations assess the risk that breaches pose to data subjects?
The GDPR itself provides that relevant risks can include loss of control over or confidentiality of personal data, unauthorized reversal of pseudonymization, damage to reputation, discrimination, identity theft or fraud, financial loss, and other economic or social disadvantages. The Guidelines provide that both the likelihood and severity of the potential impact on data subjects should be assessed, taking into account the following criteria (among other factors):
- Type of breach. Whether the breach involves disclosure of personal data (a “confidentiality breach”), loss of access to or destruction of personal data (an “availability breach”), and/or alteration of personal data (an “integrity breach”) can affect the risk to data subjects.
- Nature, sensitivity and volume of personal data. The Guidelines state that breaches involving sensitive personal data – including “special categories” of data relating to racial or ethnic origin, political opinion, sexuality, religious or philosophical beliefs, trade union membership, health or genetic data, or criminal convictions, and other sensitive data such as identity documents or financial data – are more likely to be high-risk. Breaches involving a combination of personal data are typically more risky than those involving only a single piece of (non-sensitive) personal data.
- Severity of consequences for individuals. The Guidelines point to identify theft, fraud, physical harm, psychological distress, humiliation, and damage to reputation as particularly severe potential consequences. The permanence of any consequences and, in the case of a confidentiality breach, trustworthiness or malice of the unauthorised recipient of personal data are also factors to consider.
- Number and characteristics of affected individuals. The Guidelines note that the impact of the breach is likely to be greater where a higher number of individuals are affected. Breaches that affect children or other vulnerable individuals may be higher-risk than those that do not.
- Ease of identification of individuals from the affected personal data, including whether data are pseudonymized.
Practical examples provided in the Guidelines indicate that organizations must think comprehensively and creatively about the ways in which data subjects might be affected by a breach.
- In what circumstances are the risks posed to data subjects so low as to exempt the breach from mandatory notification to DPAs?
The Guidelines provide limited, non-exhaustive examples of circumstances where a risk to data subjects may be considered unlikely. These are where: (i) personal data leaked are already publicly available; (ii) personal data leaked are encrypted with a state-of-the-art algorithm, or securely hashed and salted, and the key remains confidential and cannot be independently ascertained; (iii) there is a very temporary loss of access to personal data; and (iv) personal data are accidentally sent to third parties that can be trusted by virtue of their relationship with the data controller organization to comply with instructions.
The Guidelines note that, if in doubt, a data controller organization should err on the side of caution and notify, both in the case of notifications to the DPA and communications to data subjects. If a decision is taken not to notify, the justification for the decision should be documented.
- When is an organization considered to be “aware” of a breach?
The timing for notifying DPAs of a personal data breach is linked to the time at which the data controller organization becomes “aware” of the breach. The Guidelines clarify that an organization is considered to be “aware” when it has a “reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”. After first detecting or being informed of a potential security incident, an organization has a short period of time to investigate and verify whether a breach has in fact occurred. While this investigation is ongoing, the time period for notification will not necessarily start running but the organization will be under an obligation to investigate and establish the facts with reasonable certainty as soon as possible.
The Guidelines suggest that in the case of a breach uncovered by an organization’s data processor, the controller organization should be considered “aware” of the breach as soon as the processor becomes aware. It is therefore important for controllers to require processors to notify them immediately upon uncovering a breach.
- In what circumstances can notifications to DPAs be delayed beyond 72 hours?
The GDPR provides for the possibility that it will not be feasible for organizations to notify DPAs within 72 hours of becoming aware of a breach, though the Guidelines clarify that delayed notification should not be the norm. Examples where delayed notification may be acceptable include:
- Where breaches are complex and in-depth investigations are necessary, an organization may make an initial incomplete notification to the DPA within the 72 hour window and follow with more information “without undue delay” as and when it becomes available. While the Guidelines do not clarify what “undue delay” means in this context, they do state that the relevant DPA should agree how and when additional information should be provided.
- Where a number of similar breaches occur over a short period of time, the Guidelines provide that an organization may make a combined notification more than 72 hours after becoming aware of the first breach, rather than notify each breach individually.
In any case of delayed notification, the GDPR requires the organization to explain why a breach has been delayed if it is made after the initial 72 hour window.
- What does “undue delay” mean in the context of communications to data subjects?
The Guidelines note that the purpose behind communication to data subjects is to provide information about the steps data subjects should take to protect themselves from the risk of harm; communication should therefore be made as soon as possible. While the GDPR envisages that communications to data subjects should be made in close cooperation with the DPA – thus suggesting that DPA notifications should be made first – the Guidelines clarify that in exceptional circumstances, communication to data subjects may need to take place before notification to the DPA.
- What should the notification to DPAs contain?
The GDPR sets out the minimum level of information that a notification to a DPA should contain. The organization should provide (i) contact details of the Data Protection Officer or other contact person, (ii) information regarding the categories and approximate number of data subjects and personal data records concerned, (iii) a description of the nature of the breach, (iv) likely consequences of the breach, and (v) measures the organization has taken or proposes to take to address the breach.
- What should communications to data subjects contain?
Under the GDPR, communications to data subjects should contain a minimum of (i) contact details of the Data Protection Officer or other contact person, (ii) a description of the nature of the breach, (iii) likely consequences of the breach, (iv) measures the organization has taken or proposes to take to address the breach, and (v) advice on steps data subjects can take to protect themselves.
Importantly, notifications to data subjects should be written in clear and plain language. The Guidelines also clarify that they should be delivered in dedicated messages by means that maximise the chances of communicating the information to all affected data subjects – this may require several methods of communication being used, and provision of information in alternative formats and languages where appropriate.
- What else should organizations consider?
Organizations should continue to monitor the circumstances surrounding, and effects of, a breach and may need to make or update DPA notifications or data subject communications as new information emerges. In order to comply with wider obligations under the GDPR to demonstrate compliance, organizations should fully document data breaches and the action taken in response to them. Following the initial aftermath of a breach, organizations should review the security measures they employ to safeguard personal data and their internal breach management processes and update as appropriate to reflect lessons learned from the breach.