The Article 29 Data Protection Working Party (WP29) has made further progress on the roll out of its GDPR guidance this month.
As well as finalising the guidelines on data protection impact assessments, the WP29 has also published draft guidelines on personal data breach notification and automated decision-making and profiling (see our separate update).
The full text of the guidelines is available on the WP29 website. Comments are invited by 28 November 2017.
The GDPR introduces a requirement for a personal data breach to be notified to the competent supervisory authority and, in some cases, for the breach to be communicated to the individuals concerned. Notification is mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals.
The aim of the guidelines is to explain the mandatory breach notification and communication requirements and to set out some of the steps controllers can take to meet these obligations. Controllers and processors are encouraged to plan in advance and put processes in place to detect and promptly contain a breach, and to assess the risk to individuals and then determine if notification is required.
Article 33(1) provides that a controller shall 'without undue delay and, where feasible, not later than 72 hours after becoming aware' notify the personal data breach to the competent supervisory authority. WP29 states in the guidelines that it considers a controller as having become 'aware' when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. Various examples are provided demonstrating the obligation on the controller to act on any initial alert and investigate whether a breach has actually occurred.
Although the controller retains overall responsibility for the protection of personal data, the guidelines emphasise that a processor nevertheless has an important role to play in breach notification. The GDPR provides that a processor must notify the controller of a breach 'without undue delay' but does not provide an explicit time frame. WP29 recommends an immediate notification by the processor, with further information provided in phases as information becomes available about the breach. This is important in order to help the controller meet the 72 hour deadline.
Article 33(1) sets out the minimum information that a controller must provide to the supervisory authority, including the nature of the breach, the categories and approximate number of the data subjects and personal records concerned, the likely consequences of the breach and the measures taken or proposed to mitigate the breach. If precise information is not yet available, this should not be a barrier to timely notification. The guidelines state that the focus should be directed towards addressing the adverse effects of breach rather than providing precise figures.
The GDPR recognises that a controller may not have all of the necessary information within 72 hours of becoming aware of the breach and it therefore permits information to be provided in phases. If notification is not made within 72 hours, the controller must set out reason for the delay but the guidelines point out that delayed notifications should not be seen as a regular occurrence.
Breaches that are 'unlikely to result in a risk to the rights and freedoms of natural persons' do not require notification. The guidelines refer to the previous WP29 Opinion 03/2014 on breach notification and provide some examples of breaches that would not require notification.
One such example is where personal data has been made essentially unintelligible to unauthorised parties (e.g. on a securely encrypted device) and where a backup exists. In this situation a confidentiality breach involving properly encrypted data may not need to be notified to the supervisory authority as it is unlikely to pose a risk to individuals' rights and freedoms. However, the situation would be different if a vulnerability in the encryption software is exposed. This highlights the need for controllers to consider the quality of encryption software carefully and understand the level of protection actually provided.
Article 34(1) requires a controller to communicate a personal data breach to the data subject without undue delay where the personal data breach is likely to result in a 'high risk' to the rights and freedoms of natural persons. The threshold for communicating a breach to individuals is therefore higher than for notifying supervisory authorities. The guidelines point out that this is to protect against 'unnecessary notification fatigue'.
A list of examples is included in Annex B to assist controllers in determining whether they need to notify the data subject as well as the supervisory authority. The guidelines also include advice on the information to be provided to individuals and communication methods.
The WP29 recommends that when assessing the risk to individuals as a result of the breach, the controller should take into account the following criteria:
The guidelines provide helpful clarification on the new data breach notification requirement and practical examples of various types of breaches and who to notify in different scenarios.
The WP29 considers that the new requirement has a number of benefits, including the chance for controllers to obtain advice from the supervisory authority about whether the affected individuals need to be informed. It also suggests that breach notification should be seen as a tool 'enhancing compliance' in relation to the protection of personal data. That said, a reminder is included that failure to report a breach may lead to an administrative fine of up to 10,000,000 EUR or 2% of the total worldwide annual turnover and/or corrective measures.
Organisations should review the processes they have in place internally and with processors to identify, assess and manage data breaches. Controllers should also ensure that contracts with processors set out a clear data breach notification and management process to enable controllers to meet the data breach reporting time periods under the GDPR. While a data security policy should, where possible, prevent a breach, if a breach nevertheless occurs, organisations must be ready to react in a timely manner to comply with the new notification requirement.
Contributor: Jenai Nissim
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.
The Information Commissioner's Office (ICO) has recently published an article providing some clarity on how the data processing registration and fee provisions under the current data protection regime will change with...