The EDPB has recently published guidelines on personal data breach notifications under the GDPR for businesses and organisations.
The European Data Protection Board (EDPB) recently released guidelines on personal data breach notifications under the GDPR. This document includes detailed requirements for businesses and organisations which handle individuals’ data in the event of a data breach. With the introduction of the GDPR came the requirement to report data breaches to the relevant supervisory authority, either the national supervisory authority or the lead supervisory authority in the case of a cross border data breach. In many cases data subjects also need to be notified of the data breach. The EDPB guidelines include examples of personal data breaches as well as who should be notified.
The EDBP encourages controllers and processors to plan ahead and implement processes to be able to promptly detect and contain a breach.
The EDBP emphasises that prompt detection of a data breach is paramount to minimising risk to individuals. This will help to quickly determine whether it is necessary to notify the competent supervisory authority, and to act on that as soon as it is determined to be necessary. The GDPR typically requires the controller to notify a breach to the competent supervisory authority, unless it is unlikely that the breach will result in a risk of such adverse effects taking place. Article 33(1) GDPR states “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.” The EDBP suggests that notification to the relevant authorities should form part of an organisation’s incident response plan. The GDPR outlines when a breach needs to be notified, and to whom, as well as what information should be included as part of the notification.
Businesses and organisations are encouraged to make timely reports of personal data breaches, as failure to do so will likely result in corrective measures, including, but not limited to fines.
Failure to notify the competent supervisory authority and/or the data subjects of a breach will likely result in corrective measures. This may include a fine of up to 2 % of the total worldwide annual turnover of an undertaking or up to 10,000,000 EUR under the GDPR. It is therefore suggested that a notification be made as soon as possible, and within the timeframe stipulated under the GDPR. In cases when there has been a breach, but the extent of it is not yet known, a notification in phases is suggested as a safe way to meet the notification obligations. Depending on the nature of a breach, the controller may need some further investigation to establish all of the relevant facts relating to the incident. Article 33(4) of the GDPR states “Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.” The EDPB also outlined cases in which no notification is necessary, which includes certain breaches of well encrypted data, as well as cases where the breach is unlikely to cause any risk to the rights and freedoms of individuals.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.