Member News

Notification of Personal Data Breaches

By Vincent WellensJacqueline van Essen |Heidi WaemNautaDutilh

Ransomwares and other kind of malwares are waiting the first weakness of your IT systems to attack. Nearly every week, a new data breach is mentioned in the press, tarnishing the affected company’s reputation. The GDPR requires data controllers to notify such personal data breach to the competent data protection authority and, as the case may be, to the data subjects. The Article 29 Working Party (WP 29) has published draft guidelines (open for comments until 28 November 2017) in order to clarify the scope of this new obligation.


Notification to the supervisory authority

The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Such a breach shall be notified by the controller to the supervisory authority where there is a risk to the rights and freedoms of natural persons.

The factors which should be taken into account when assessing the risk are: (i) the type of breach (i.e. breach of confidentiality, availability and/or integrity), (ii) the nature, sensitivity and volume of personal data affected, (iii) the ease of identification of individuals, (iv) the severity of consequences for individuals, (v) special characteristics of the affected individuals, (vi) the number of affected individuals, and (vii) special characteristics of the data controller.

There is nevertheless no notification obligation where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. For instance, WP 29 considers that the loss of a securely encrypted mobile device, utilised by the controller and its staff, does not need to be notified provided the encryption key remains in the secure possession of the controller and the lost device does not contain the only copy of the personal data.

Deadline for notification

The controller shall notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. 

WP 29 considers that a controller is “aware” from the time it has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. In this regard, an assessment is made on a case-by-case basis. As a rule, a controller shall investigate as soon as possible upon being informed of a potential breach. During this short investigation period, WP 29 considers that the controller may not be regarded as being “aware”. 

If the processing is carried out by a processor, the controller will in principle be deemed to be “aware” of the breach when the processor becomes aware of it. The processor must inform the controller of the breach “without undue delay” and WP 29 recommends immediate notification in order to enable the controller to comply with its own notification obligation. If stated in the processing agreement, the processor may directly proceed with notification on the controller’s behalf (although the controller remains ultimately responsible for fulfilment of this obligation).

Communication to the data subject

Where there is likely to be a high risk to the rights and freedoms of individuals as the result of a personal data breach, the data subjects shall also be informed without undue delay. In this regard, a documented assessment, based on a higher threshold than for notification to the supervisory authority, must be carried out. WP 29 provides several examples of when such a communication is required. For instance, data subjects should be informed where a multinational online marketplace processing their personal data falls victim to a cyberattack and user names, passwords and purchase history are published online.

Data subjects shall be informed of the breach by way of a dedicated message which should not be sent along with other information such as regular updates or newsletters. The format and language of the notification must enable the data subjects to easily understand the information provided.

Nevertheless, notification to the data subjects shall not be required where (i) the controller has implemented appropriate technical and organisational protection measures which were applied to the personal data affected by the breach, (ii) the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise, or (iii) notification would involve disproportionate effort (in such a case, there shall instead be a public communication or similar measure).

Documentation of personal data breaches

In order to comply with the accountability principle, both controllers and processors should have a documented notification procedure covering (i) how to contain, manage and recover the incident, (ii) how to assess the risk, (iii) and how to notify a breach. Moreover, employees should be trained in such procedures and be able to react appropriately in the event of a personal data breach.

The controller must also keep appropriate documentation of all breaches, regardless of whether they need be notified or not. The documentation kept should cover: (i) the cause of the breach, (ii) a description of the incident, (iii) the personal data affected, (iv) the effects and consequences of the breach along with the remedial actions taken by the controller, and (v) a justification for the decisions taken in response to the breach (in particular when a breach is not notified, the reasons for this decision).

Potential double sanction

Further to Article 83 GDPR, the supervisory authority may impose sanctions for failure to notify a data breach. In addition, if the supervisory authority considers that the personal data breach was caused by the absence of (adequate) security measures, it may impose a separate sanction. In both cases, an administrative fine of up to EUR 10 000 000 or, in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, may be imposed.

Some tips for your GDPR compliance projects

Here are a few tips to keep in mind regarding personal data breach notification within the context of GDPR compliance projects:

  • When selecting encryption software, controllers should carefully evaluate the quality and ensure proper implementation of the encryption offered, understand the level of protection provided and whether it is appropriate to the risks presented.
  • Internal processes to detect and report security incidents to the appropriate level of management should be implemented so that the incidents can be properly addressed.
  • Employees should be trained in the appropriate procedures and mechanisms.
  • Processing agreements should contain an obligation for the processor to immediately notify the controller of any security-related incidents.
  • Where the personal data of individuals located in more than one Member State are processed, the lead supervisory authority to be notified in the event of a breach should be identified.

Compliments of NautaDutilh, a member of the EACCNY