On February 12, 2018, the statutorily-appointed independent EU advisory body known as the Article 29 Working Party (“WP29”) published revised Guidelines on personal data breach notification under the General Data Protection Regulation (“GDPR”). GDPR will become effective on May 25 in all 28 EU Member States. GDPR introduces, inter alia, the requirement for certain personal data breaches that companies notify the relevant regulator (the supervisory authority) and, where there is a high risk to individual rights and freedoms, to communicate the personal data breach to the individuals whose personal data have been affected. The Guidelines explain the mandatory breach notification and communication requirements in the GDPR and some of the steps companies can take to meet these new obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This includes breaches that have both accidental and deliberate origins. Companies must report personal data breaches to the relevant regulator, in most cases in the EU member state in which the controller of the data is located, where it is likely that there will be a risk to individuals’ rights and freedoms. “Risk” can include loss of control over the individual’s personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy, as well as any other significant economic or social disadvantage. The notification must occur, where feasible, no later than within 72 hours after becoming aware of the data breach.
Section II of the Guidelines provides more details of when a controller can be considered to have “become aware” of a breach: The WP29 explains that a company becomes aware of a data breach when it has a “reasonable degree of certainty that a security incident has occurred and that has led to personal data being compromised.” After first being informed of a potential breach, or when it has detected a security incident, the company may undertake a short period of investigation to establish whether a breach has occurred. According to WP29, during this period of investigation the company is not considered to be aware. Once the short period of investigation has passed and the company has identified the incident, however, it is considered “aware.”
When reporting a personal data breach to the regulator, companies must provide a description of the nature of the personal data breach, the name and contact details of the data protection officer or other contact point and describe the likely consequences of the personal data breach and the measures taken or proposed to be taken to address the personal data breach. The Guidelines provide further clarification and examples on the content and extent of notifications. If companies are not able to provide full information at the time of notification, additional information may be provided in phases but without undue delay.
If as a result of the breach, there is likely to be a high risk of adverse effect on individuals’ rights and freedoms, companies must also inform those individuals without undue delay. Companies must describe in clear and plain language (i) the nature of the personal data breach, (ii) a description of the likely consequences of the data breach and of the measures taken or proposed to be taken, and (iii) the name and contact details of the data protection officer or other contact point. The Guidelines give some examples on how to contact affected individuals—including direct messaging (such as email, SMS, or direct message), prominent website banners or notification, postal communications and prominent advertisements in print media—whereas a notification solely contained within a press release or corporate blog would not be an effective means of communicating a breach to an individual.
Companies must keep records of any personal data breaches, regardless of whether they are required to notify. The Guidelines recommend that companies document their reasoning for the decisions taken in response to a data breach, including, where applicable, the justification(s) for not notifying the regulator.
Because the consequences of non-compliance with GDPR may be substantial, WP29 encourages companies to plan in advance and put in place processes to be able to detect and promptly contain a personal data breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the supervisory authority, and to communicate the breach to the individuals concerned.