The GDPR definition – ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to data subjects such as:
loss of control over their personal data or limitation of their rights,
identity theft or fraud,
unauthorised reversal of pseudonymisation,
damage to reputation,
loss of confidentiality of personal data protected by professional secrecy
or any other significant economic or social disadvantage to the data subject
Breaches, unauthorised access to or leakage of information could occur as a result of:
improper disposal of equipment or documents
lost or stolen equipment or documents (that don’t have the proper protection)
inefficient/ineffective access controls (including physical access)
inefficient/ineffective data governance (improper filing, data out of date etc.)
inappropriate defence against cyber threats – viruses and phishing
unprotected transmissions (email, video conferences etc.)
insufficient or lack of policies, procedures, controls
poorly trained, unaware, negligent or even ‘malicious’ employees
It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and, where necessary, the data subject.
Where a breach has been detected, depending on circumstances, the typical response could include:
assembling the team that will be responsible for investigating and managing the incident
determining what personal data was compromised
identifying mitigating circumstances - was the data e.g. encrypted?
securing affected systems and networks, containing the incident
notifying the supervisory authority
notifying law enforcement
notifying affected businesses - if, e.g. financial information was breached, organizations should notify banks, credit card issuers and other affected institutions
notify individuals whose personal data was compromised
Informing people about a breach is not an end in itself. Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints. Not all breaches necessarily reach the point where they require notification. If, for example, a lost laptop's hard drive was encrypted or, say, an employee accidentally accessed personal data but did not misuse it you may not need to notify. The supervisory authority may provide guidance around this.
Notifying the supervisory authority
As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay. Where the incident has been contained – meaning that the personal data breach is unlikely to result in a risk to data subject’s rights and freedoms, there is no ned to notify.
Notifying the data subject
The controller should communicate to the data subject without undue delay, where the personal data breach is likely to result in a high risk to data subject’s rights and freedoms. This so that the data subject may take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the data subject to mitigate potential adverse effects.
Communications to data subjects should be made in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication. In some cases, law enforcement may prohibit you from notifying a data subject – possibly to protect the integrity of an investigation or possibly to protect the safety and security of data subjects.
Failure to notify
If controllers fail to notify either the supervisory authority or data subjects of a data breach or both even though the requirements of Articles 33 and/or 34 are fulfilled, then the supervisory authority is presented with a choice that must include consideration of all of the corrective measures at its disposal, which would include consideration of the imposition of the appropriate administrative fine, either accompanying a corrective measure under Article 58(2) or on its own. Where an administrative fine is chosen, its value can be up to 10,000,000 EUR or up to 2 % if the total worldwide annual turnover of an undertaking.
It is important not only to investigate the causes of the breach but also to evaluate the effectiveness of your response to it. If the breach was caused, even in part, by systemic and on-going problems, then simply containing the breach and continuing 'business as usual' is not advisable; similarly, if your response was hampered by inadequate policies or a lack of a clear allocation of responsibility then it is important to review and update these policies and lines of responsibility in the light of experience. File copies of incident reports together with all evidence. Regularly inform your senior management about the incident progress or seek their assistance if necessary.
The controller retains overall responsibility for the protection of personal data, but the processor has an important role to play to enable the controller to comply with its obligations; and this includes breach notification. Article 33(2) makes it clear that if a processor is used by a controller and the processor becomes aware of a breach of the personal data it is processing on behalf of the controller, it must notify the controller ‘without undue delay’.
Breaches affecting individuals in more than one Member State
Whenever a breach affects the personal data of individuals in more than one Member State and notification is required, the controller will need to notify the lead supervisory authority. Therefore, when drafting its breach response plan, a controller must make an assessment as to which supervisory authority is the lead supervisory authority that it will need to notify.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018