Outside street and metal joints view.

Article 29 Working Party publishes guidelines on data breach notifications under the GDPR

Published on 11 April 2018

What data notification procedures should data controllers and processors have in place by 25 May 2018?

The guidelines

The key elements of the guidelines include:

Types of data breach

Breaches could relate to the confidentiality, availability and/or integrity of personal data.  A breach could relate to any one of these types of breach, or any combination of these.  Taking each in turn:

  • confidentiality: the disclosure to or access by someone who does not have authority to access the data;
  • availability: a loss of access to or the unintended destruction of personal data;
  • integrity: the alteration of personal data either by an unauthorised person or by accident.

When to notify a data breach

The GDPR requires data controllers to notify the relevant supervisory authority where it becomes aware of a personal data breach which is likely to result in a risk to the rights and freedoms of individuals.  The notification should be made without undue delay and where feasible within 72 hours of it becoming aware of the breach.  The controller becomes "aware" once it has a reasonable degree of certainty that (i) a security incident has occurred and (ii) the breach has led personal data being compromised.  The investigation should commence promptly and should only be for a short period to establish whether a data breach has occurred.  A more detailed investigation can follow the notification to the relevant supervisory authority.  A "bundled" notification can be made where the data controller becomes aware of multiple, similar breaches over a short period of time which leads to a longer initial investigation.  A "bundled" notification can be made within 72 hours (if appropriate) but should not be made where multiple breaches concern different types of data. 

The information to provide alongside the notification

WP29 suggest that a description of the types of individual whose personal data has been affected should be identified.  Examples of the types include vulnerable individuals (such as children), people with disabilities, employees and customers.  The type of personal data should be identified (eg health data, educational records, social care information, financial details, bank account numbers and passport details).  The notification should outline, where appropriate, any particular risk to the data subject because of the breach (eg identity theft, financial loss and threats to professional secrecy).  The focus should not be on providing precise information (unless this is available) and should be on addressing the adverse effects of the data breach and ensuring timely notification.  Further details can be provided once the notification has been made and further investigations into the breach are underway.

Breaches concerning multiple Member States

Data controllers are required to notify the lead supervisory authority if a data breach occurs.  The supervisory authority of the main establishment of the business will be the lead authority.  Data controllers may opt to notify the lead authority and the supervisory authorities of the Member States affected by the breach.  Should the data controller decide to only notify the lead authority, it should state the affected Member States - and how they have been affected - in its notification to the lead authority.

When a notification is not required

A notification does not need to be made if a breach is "unlikely to result in a risk to the rights and freedoms of natural persons".  For example, (i) where a breach relates to personal data which is publicly available so will not constitute a likely risk to the individual and (ii) the loss of encrypted data where a backup is accessible in a timely manner.  Where no back-up is available at all or the backup is not available in a timely manner a notification would need to be made.  A notification may need to be made some time after a breach occurs if data which was securely encrypted may have been compromised or the encryption software is later known to have vulnerabilities.

Notifying the data subject of a personal data breach

In addition to notifying the relevant supervisory authority in circumstances where a breach is likely to pose a risk to an individual, the individual must be notified where there is a high risk of the individual's rights and freedoms becoming affected by the data breach.  Information to be provided should include the nature of the breach, the name and contact details of the data protection officer or other contact point and the likely consequences of the breach, including, where appropriate, measures to mitigate its possible adverse effects.  The notification should be made directly to the individuals unless this would result in a disproportionate effort.  The communication should be clear and transparent (possibly provided in multiple languages).  Controllers should try to maximise the chance of contacting affected individuals (eg by using multiple contact channels to communicate the breach).

A notification does not have to be made to an individual in circumstances where: (i) the controller has applied measures to protect the individuals data in advance of the breach (eg encryption); (ii) the controller has taken steps following the breach to ensure that the high risk threat is unlikely to materialise; and (iii) it would involve a disproportionate effort to notify individuals and the data controller elects to utilise another form of public communication to notify the individual.

Record keeping

Data controllers should keep a record of all data breaches irrespective of whether they notify their relevant supervisory body or not.  The record should include the effects and consequences of the breach and details of any remedial action the controller takes.  The record should also detail the reasoning behind any decisions the controller takes – especially if the controller decides not to notify the relevant supervisory authority. 

Why is this important?

A failure to report a personal data breach in accordance with the GDPR may result in a fine (up to €10 million or 2% of the firm's global turnover) - which would be in addition to a fine for the actual data breach (which could be as much as €20 million or 4% of the firm's global turnover).  So knowing when and how to notify is key to avoid aggravating what could already be a painfully expensive fine.

Any practical tips?

Knowing how to promptly detect, notify and investigate data breaches is critical.  And systems should be tested regularly to ensure that the right team (including a member of senior management) knows what to do in a crisis.

There is no penalty for reporting incidents which do not amount to a data breach.  This makes the chances of the ICO's team being flooded (almost literally!) with breach notifications pretty high.  And with many of her senior staff leaving for highly paid jobs in private business, one wonders how she will be able to focus on anything but the biggest, most damaging data breaches.