For this post on GDPR, we will cover the who and what of data breach reporting obligations. It is a good candidate for building up on existing event and incident activities.
The definition of a data breach within GDPR is:
“Data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. – Art.4(12)
In case of a personal data breach, the controller shall without undue delay, and where feasible, no later than 72 hours after becoming aware of it, notify the personal data breach to the competent supervisory authority. The GDPR details mandatory information to be included in the personal data breach notification (check what items comprise that mandatory information at the end of this post).
Regarding timing and completeness of the notification, Recital 85 states:
“Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.”
This obligation applies only when the data breach may result in a risk to the rights and freedoms of natural persons I suggest you double check those rights and freedoms with legal. Even better, ask the supervisory authority.
Furthermore, the processor shall notify the controller without undue delay after becoming aware of a personal data (the Regulation does not enforce a hard deadline for the processor to controller notification). Beware that, for the first time, the processors will also now be subject to penalties and civil claims by data subjects. Operationally, for all this to work, a prior assessment of the impact of processing operations on personal data will provide reliable criteria for which and when to notify data breaches (also, that assessment – known as a Data Protection Impact Assessment in GDPR – pinpoints what needs to be monitored for breaches).
What about the affected data subjects?
The controller should, as soon as reasonably possible and in close cooperation with the supervisory authority (for instance, communication for if there’s an immediate risk of damage), communicate to the impacted data subjects:
- the nature of the personal breach
recommendations for the natural person concerned to mitigate potential adverse effects.
Data breaches must be documented
The controller must document any personal data breaches (what happened, effects and remedial action taken). This documentation shall enable the supervisory authority to verify compliance with the data breach notification GDPR article 33. Clearly, there’s a need for people and a management system to support it (both may currently exist in the organization, due to other information security requirements).
Piggybacking on existing practices
If the organization already has procedures for handling information security incidents, then they should be reviewed for specific treatment of the personal data ones, including how to properly documenting them should supervisory authority (or legal authorities) demand it, how to notify the supervisory authority, and getting processor data breach notifications.
From CNIL, the French supervisory authority, Notifications d’incidents de sécurité aux autorités de régulation : comment s’organiser et à qui s’adresser? provides guidance on notification of security incidents.
Where to start?
Being compliant with what GDPR regulates for data breach notification has a significant impact on organizations, including raising awareness on handling data breaches; procedures for detecting, documenting and notifying data breaches; reviewing and checking on third party entities processing personal data for your organization; communication with both supervisory authority and the data subjects.
Introducing these changes costs money, you will need to build a business case towards a data breach reporting initiative in order to secure funds. Consider this:
Personal data breaches seem to be more damaging to companies than other security breaches.
Campbell et al. (2003) found that security breaches in which personal data was accessed had a significant impact on a company’s stock market valuation (please check References below for source). People relate more with personal data security breaches (“Hey, that could have happened to me!”).
Next post will tackle the reason why GDPR exists: individuals’rights.
- Art. 33 GDPR Notification of a personal data breach to the supervisory authority (Recitals 85, 86 and 87 are relevant for further clarification)
- Karyda, Maria & Mitrou, Lilian. (2016). DATA BREACH NOTIFICATION: ISSUES AND CHALLENGES FOR SECURITY MANAGEMENT.