GDPR data breach notification obligation requires the adoption of appropriate technical and organisational measures in order to ensure the safeguarding of personal data during processing. Since the assessment of the risk degree is not always unequivocal, the Article 29 Data Protection Working Party (WP29) has recently adopted GDPR data breach Guidelines.
When unauthorised or unlawful processing and accidental loss, destruction or damage of personal data occurs, personal data controllers may be under an obligation to notify the supervisory authority and data subjects after an appropriate risk assessment. GDPR data breach Guidelines assist the controllers and the processors to comply with their obligations under Articles 33 and 34 of the GDPR on a potential security breach of personal data.
Data processor’s obligation
Although the responsibility of the personal data protection belongs to the controller, the data processor must ensure the compliance of the former with the notification requirements. Hence, if a processor becomes aware of a breach of personal data that it has been processing on the controller’s behalf, it is bound to notify the controller ‘without undue delay’.
Notification of the personal data breach to supervisory authority
In the event of a security breach likely to result in a risk to the rights and freedoms of individuals, the data controller is obliged to notify the leading supervisory authority in order to receive guidance.
The time frame for notification is no later than 72 hours from the time the controller obtained a reasonable degree of certainty that a breach compromising personal data has taken place. If the controller does not possess all relevant information, it may proceed with notification in phases parallel to its investigation.
Nonetheless, when the breach is unlikely to result in risks to the rights and freedoms of natural persons, the controller is not under an obligation to notify. For instance, if an encrypted CD containing a back up of an archive with personal data is stolen, the notification requirement is unlikely to apply.
Communication of the personal data breach to data subjects
The assessment of risk is decisive for the requirement of communication to the data subjects. If the breach is likely to lead to high risk to the rights and freedoms of individuals, such as discrimination, financial damage, identity theft, fraud and humiliation, the notification of the relevant individuals must be triggered. The severity of the potential impact should be estimated on a case by case basis taking into consideration the type of breach, the nature, sensitivity and volume of personal data, the ease of identification of individuals and the special characteristics of the individual and the data controller.
The communication should be characterised by clarity and transparency through dedicated messages best circulated via several contact channels e.g. email, advertisement in printed media, communication by post, or prominent website banners.
Failure to notify data subject or supervisory authority
If controllers do not comply with their obligations to notify either the supervisory authority or data subjects or both of a data breach, corrective measures including appropriate administrative fines may apply. The supervisory authority is entitled to impose administrative fine up to 10,000,000 EUR or up to 2 % of the total worldwide annual turnover of an undertaking pursuant to Article 83(4)(a) of the GDPR.
Suggested response plan
What to do next? With the help of your Data Protection Officer, a response plan comprising the following areas should be prepared:
- A person or group of persons should be responsible for receiving all information about security incidents in order to later establish potential breach and assess the risk.
- Risk assessment regarding the rights and freedoms of individuals should take place and according to the findings of likelihood of no risk, risk or high risk, it should be communicated to the appropriate sections of the organisation.
- If the likelihood of risk is established, the controller must notify the supervisory authority and, if the risk is high, communicate the breach to the individuals involved.
- Simultaneously, the controller should take the relevant measures to restrict and recover the breach.
