GDPR (18) What you need to do in the event of a data breach – notification obligation
As we explained in the previous instalment of this blog, once a data breach has been identified the first concern is to minimise the impact of that breach. In addition, the GDPR requires that the controller notifies the data protection authority without undue delay of each data breach that probably carries a risk of an infringement of privacy. The data subject will also have to be informed if this risk is likely to be serious.
This obligation raises a great many questions. When does an information security incident become an actual data breach? When does a data breach pose a risk of a privacy infringement? When is there a serious risk of damage? At which point do you become aware of the incident and have an obligation to report it?
If the incident involves personal data, you must in any event inform your data protection officer (DPO). If you do not have an official DPO, it is essential that someone assumes this role. The DPO is in the best position to determine the data’s importance and how serious the potential impact of an infringement would be for the data subjects and for the controller (this is either your own organisation or, if you are a processor that is commissioned by another party, your client). The DPO advises the organisation about the communication that needs to take place. He or she is also the person who is best placed to decide whether the Privacy Commission needs to be notified and which information can be provided directly.
More simply, you can ask yourself three questions to determine whether notification is necessary:
- Has there effectively been a data breach? If a situation had the potential to result in a data breach but no data were disclosed or fell into the wrong hands, it is not considered to go beyond an incident. You must therefore record it in your internal log, but notification is not necessary.
- Does the incident probably entail no risk? Even if data end up outside the secure zones or outside your organisation, it may still be the case that there is no actual risk owing to the protection measures that have been taken. For example, the data may have been encrypted in such a way that they cannot be used by outsiders.
- Is there a serious immediate risk of damage to the data subjects? If there is a data breach involving credit card details, for instance, there is a risk of financial damage and the data subjects must be informed as soon as possible so that they can take steps themselves. This may also be the case if the data breach involves various kinds of sensitive information. If the data involved are trivial, informing everybody is a less urgent matter. The GDPR also provides for situations in which it is almost impossible to notify all data subjects individually. In such cases, public communications are also considered adequate.
The GDPR also lays down rules specifying the information that must be included in the notification:
- a description of the infringement, indicating the type of data subjects and the categories of data insofar as possible
- the approximate number of data subjects, where possible
- the contact details of your DPO or the contact point for data privacy matters
- The probable impact of the infringement
- The measures taken by the incident team to limit the impact
Some of this information may not be available immediately, and further analysis might be required to establish some of the facts. The GDPR therefore specifies that notification must take place ‘without undue delay’, and not ‘immediately’. The standard is to notify the supervisory authority not later than 72 hours after the controller becomes aware of the data breach. Notification can also be delayed for more than 72 hours provided a reasonable explanation is given. Part of the information about the infringement may also be supplied later than the initial notification takes place.
If you act in the capacity of processor, and not that of controller, you must be particularly careful when a data breach occurs. This is because you run the risk of stepping outside the bounds of your own area of responsibility and becoming increasingly exposed to liability as a result. Most data processor agreements therefore clearly state that if the processor identifies a data breach it must contact the controller immediately, and that the processor must never communicate with the Privacy Commission or data subjects itself. Communicating with the press is also best left to the controller. In contrast to controllers, which by law are given up to 72 hours to notify the supervisory in normal circumstances, processors are expected to inform the controller immediately if they identify an infringement. This enables the controller to start performing its role directly. Contracts often require that the processor responds within 24 hours, although the law actually states 72 hours.
Deciding which communications and which notifications are necessary will not always be straightforward. Failure to give notification of a data breach is an offence and exposes the controller to potentially very large fines. At the same time, the list of notifications of data breaches is public information. No companies want to be included in this list, particularly if it is subsequently discovered that no data breach occurred or the data were so well protected that there was no risk of damage. Your image may suffer a great deal before this comes to light. Conversely, no company wants to have a reputation for attempting to cover up serious problems. In that respect, openness and transparency are always the best policy. The authorities might issue further guidelines to clarify when notification is appropriate, and when it is not. Privacy specialists also warn of the danger that, in an effort to avoid fines, companies might report borderline incidents too soon, overwhelming the authorities with notifications that they cannot check and process. A similar situation occurred a while ago in the Netherlands, for example, when the notification obligation was first introduced there in the form of national legislation.
I recommend that anyway all incidents are recorded in the internal incident log, which has to be maintained under the provisions of the GDPR, detailing the established facts, the impact and the remedial action that has been taken. You can also document your line of reasoning for not reporting the incident or not informing the data subjects, for example. This will enable you to demonstrate at a later stage that an incident had been spotted and adequate measures were taken. Following up incidents in this way also goes a long way to improving you procedures and protection measures.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).
If you have any questions or comments, please write to us at firstname.lastname@example.org.