The GDPR introduces a new mandatory requirement for all controllers to notify the appropriate data protection authority of a “personal data breach” likely to result in a risk to people’s rights and freedoms, for example following a cyber-attack. This will include providing the regulator with a significant amount of information about the breach and marks a change from the present regime where notification to the ICO is not mandatory (although the ICO does already encourage notification for “serious breaches”).
The GDPR also includes a new obligation to notify the affected data subjects themselves: when a “personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”. There is an exception in relation to those parts of the data which have been rendered unintelligible to unauthorised persons through the application of technical measures such as encryption or so-called “salting and hashing”.
Fines for breach of the separate fundamental requirements to implement appropriate technical and organisational security measures under Article 32(1) of the GDPR are set at the lower tier under the new sanctions regime. Article 33(5) also requires controllers to document all personal data breaches – comprising the facts of the breach, its effects and remedial actions taken – so as to enable regulators to verify compliance with the Article 32 requirements. This is in line with the accountability principle that runs through the provisions of the GDPR.
The Article 29 Working Party recently issued guidance which discusses the notification obligations and includes some worked examples of various types of breaches, including when notification is and isn’t required. Continue reading