One of the most talked-about provisions in the GDPR is a new 72-hour breach notification requirement. Article 33 of the GPDR mandates that “in the case of a personal data breach, data controllers shall without undue delay” notify the supervisory authority “not later than 72 hours after having become aware of” the breach. The Article 29 Working Party Guidelines explain that “becoming aware of” a breach means that a data controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. This may vary depending on the circumstances of the specific breach. However, the focus in all cases should be on prompt investigation to determine whether personal data has been breached and if so, to take remedial action. As the Guidelines point out, other provisions of the GDPR essentially place an affirmative obligation on data controllers to ensure that they have internal processes in place to detect and address a breach.
The GDPR broadly defines a “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. This means that the breach notification rule covers three types of breaches: confidentiality breaches (unauthorized or accidental disclosure of or access to personal data), integrity breaches (unauthorized or accidental alteration of personal data), and availability breaches (accidental or unauthorized loss of access to or destruction of personal data). In contrast to most breach notification laws in the United States, the GDPR notification rule also is not limited to breaches of electronically stored data.
Notice to Supervisory Authority
Under Article 33, a data controller is required to notify the supervisory authority of a breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Article 33 lists the minimum information that must be included in the notice, namely:
- A description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and data records concerned;
- Name and contact details of the data protection officer or other contact point who can provide additional information;
- A description of the likely consequences of the personal data breach;
- A description of the measures taken or proposed to be taken by the controller to address the breach, including mitigation efforts.
Notice may be given in phases. If the controller does not have all the required information within the 72-hour time period, the notification should so state and it can be amended later. The Guidelines make clear that a lack of precise information should not be a barrier to timely notification. If the notification is provided after 72 hours, the notice must provide reasons for the delay. A failure to report may result in large fines, which we will discuss in a separate blog post.
Notice to Data Subjects
Where there is a likely high risk of adverse effects to the rights and freedoms of natural persons, the controller must also communicate the breach to the affected individuals as soon as is reasonably feasible. Factors to consider when assessing risk include the type of breach, the nature, sensitivity, and volume of personal data, the severity of consequences for the individual, and the special circumstances of the individual (for instance, if they are children or members or other vulnerable individuals). The data controller may obtain guidance from the supervisory authority on whether notification to individuals is necessary. Under some circumstances it is not reasonable to wait for such guidance. For instance, the Guidelines state that there is a “high risk” of harm to data subjects if there is an immediate threat of identity theft or if special categories of personal data have been disclosed online.
The purpose of the notice to data subjects is to provide specific information about what steps they should take to protect themselves. According to the Guidelines, the notification should be provided in dedicated, stand-alone messages such as through direct messaging by email or SMS, or postal communications. Controllers may request advice from the supervisory authority on the best way to contact data subjects.
Notification Obligations of Data Processors
While only a data controller is obligated to notify the Supervisory Authority, Article 33 mandates that data processors notify the controller without undue delay after becoming aware of a personal data breach. The processor must notify the controller in all cases, without regard to whether the breach poses any risk to natural persons. The controller must perform the risk assessments once it receives notice from the processor.
As the Guidelines state, the contract between the data controller and data processor should specify the parameters of the processor’s notification. This includes how notice is provided, who it is provided to, and what information it contains. In addition, the parties’ contract may transfer the controller’s breach notification obligations to the processor; however, such provisions do not release the contractor from liability to the supervisory authority in the event of a failure to report.
Cross-Border Data Breaches
In the event of cross-border breaches within the EU, the controller is required to notify only the lead supervisory authority. The notice must state whether the breach involves establishments in other Member States and in which Member States affected data subjects are located. If the breach occurs outside of the EU, the controller must notify the supervisory authority in the Member State where the controller’s EU representative is established. This could include the controller’s EU-based Data Protection Officer.
The GDPR gives data controllers very little time to investigate personal data breaches and determine whether notification to the supervisory authority is required. It is more important than ever that companies have detailed incident response plans that cover all types of personal data however or wherever stored. If there is any doubt about the possible risk posed to data subjects or whether a breach has even occurred, it is better err on the side of timely reporting to the supervisory authority. Controllers should also review their contracts with all of their vendors that process data, and ensure that those contracts have appropriate notification provisions.
Finally, even if notification is unnecessary, Article 33 requires controllers to maintain documentation about the breach including any remedial action taken. The Guidelines recommend that controllers also keep records of their reasons for taking certain actions. Companies subject to the GDPR should have policies in place to ensure these record-keeping obligations are met.