The GDPR introduces a new mandatory requirement for all controllers to notify the appropriate data protection authority of a “personal data breach” likely to result in a risk to people’s rights and freedoms, for example following a cyber-attack. This will include providing the regulator with a significant amount of information about the breach and marks a change from the present regime where notification to the ICO is not mandatory (although the ICO does already encourage notification for “serious breaches”).
The GDPR also includes a new obligation to notify the affected data subjects themselves: when a “personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”. There is an exception in relation to those parts of the data which have been rendered unintelligible to unauthorised persons through the application of technical measures such as encryption or so-called “salting and hashing”.
Fines for breach of the separate fundamental requirements to implement appropriate technical and organisational security measures under Article 32(1) of the GDPR are set at the lower tier under the new sanctions regime. Article 33(5) also requires controllers to document all personal data breaches – comprising the facts of the breach, its effects and remedial actions taken – so as to enable regulators to verify compliance with the Article 32 requirements. This is in line with the accountability principle that runs through the provisions of the GDPR.
The Article 29 Working Party recently issued guidance which discusses the notification obligations and includes some worked examples of various types of breaches, including when notification is and isn’t required.
The obligation to notify without undue delay is triggered by awareness of a breach. The guidance clarifies that a controller can undertake a brief initial investigation to determine whether or not there is a breach and during this window it may be regarded as not yet being “aware”. Awareness of a processor, however, will also be deemed to be awareness of the controller (noting that the former has an obligation to notify the latter). The guidance accepts that “bundled” notifications may be appropriate for multiple similar breaches. Where a failure to notify the supervisory authority also reveals the lack of adequate security measures, there is the possibility of two sets of sanctions.
The threshold for notification of affected individuals is deliberately higher – partly to protect individuals from “notification fatigue”. Notifications should be in dedicated messages to make communication of the breach clear and transparent, rather than being tacked onto a normal communication. Multiple channels of communication may be preferable in certain circumstances to maximise the chance of properly communicating information to all affected individuals.
The Article 29 Working Party guidance on personal data breach reporting can be found here.