agendaNi explores the guidelines set out by the EU’s working party on the protection of individuals with regard to the processing of personal data and looks at the key question being asked around breaches.
The General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach to be notified to the competent national supervisory authority and in, certain cases, communicate the breach to the individuals whose personal data have been affected by the breach.
The existing Data Protection Directive 95/46/EC currently encourages controllers to report breaches, however, it does not contain a specific breach notification obligation and therefore such a requirement will be new for many organisations. The GDPR makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors must also notify any breach to their controller.
What is a personal data breach?
The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Breaches can be categorised according to three information security principles:
Confidentiality breach – unauthorised or accidental disclosure of, or access to, personal data.
Availability breach – accidental or unauthorised loss of access to, or destruction of, personal data.
Integrity breach – unauthorised or accidental alteration or personal data.
A breach can contain one of or a combination of the principles. However, while confidentiality and integrity breaches are clear to determine, an availability breach may be “less obvious”. A breach will always be regarded as an availability breach when there has been a permanent loss of, or destruction of, personal data.
However, availability breaches can also apply to unavailability of data for a period of time. Under this circumstance, it is recognised as a security breach (and should be documented), but the circumstances will dictate whether notification to the supervisory authority and communication to affected individuals is necessary. The guidelines state: “If the lack of availability of personal data is likely to result in a risk to the rights and freedoms of natural persons, then the controller will need to notify. This will need to be assessed on a case-by-case basis.”
Even if temporary loss of availability may not have an impact on individuals, controllers should consider the potential for a network intrusion and therefore a notification would be required.
When to notify
Article 33 outlines that in the case of a personal data breach the controller “shall without delay and, where feasible, not later than 72 hours after having become aware of it, notify…the supervisory authority”.
The guidelines stipulate that ‘awareness’ should considered as when a controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. While certainty may vary in different circumstances, the emphasis should be on prompt action to investigate an incident to determine whether personal data have indeed been breached, and if so, to take remedial action and notify if required.
This prompt action should be informed by existing internal processes in place to be able to detect and address a breach. The controller should also have in place arrangements with any processors they use, whom also have a responsibility to notify the controller in the event of a breach. If a controller fails to act in a timely manner and it becomes apparent that a breach did occur, this could be considered as a failure to notify in accordance with Article 33.
Where notification to the supervisory authority is not made within 72 hours, reasons for the delay must be given. An example given is where a controller investigating a breach prior to notification detects similar breaches, with different causes. Rather than notify each individually, the controller may organise a meaningful notification and mean a delay of over 72 hours.
‘Bundled’ notification, provided that they concern the same type of personal data breached in the same way, over a short space of time may be acceptable, however, if breaches takes place that concern different types of personal data, breached in different ways, the normal process should occur.
Where a breach effects data subjects in more than one member state, the controller will need to notify the lead supervisory authority, meaning the controller must have a breach response plan that identifies who it will need to notify. If in any doubt, the controller should at the least notify the local supervisory authority. Controllers can also proactively report an incident to a supervisory authority who is not the lead in addition.
When to inform individuals
The main objective of notification to individuals is to provide specific information about steps they should take to protect themselves and the GDPR stats that communication should be made “without undue delay”. However not all breaches will be required to be communicated to individuals, protecting them from unnecessary “notification fatigue”.
When notifying individuals a controller should provide:
- a description of the nature of the breach;
- the name and contact details of the data protection officer or other contact point;
- a description of the likely consequences of the breach; and
- a description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
The breach should be communicated directly, unless it would involve a disproportionate effort, in which case a public communication or similar measure should be enacted.
When assessing risk, the controller should consider a combination of the severity of the potential impact on the rights and freedoms of individuals and the likelihood of these occurring. Where in doubt the controller should “err on the side of caution and notify”.
Also, regardless of whether or not a breach needs to be notified to the supervisory authority, the controller “must” keep documentation of all breaches.