Article 29 Data Protection Working Party GDPR Guidelines on Breach Notification
Article 33 General Data Protection Regulation (the "GDPR") introduces the requirement for a personal data breach (hereafter "breach") to be notified to the competent national supervisory authority (e.g. for the UK, the Information Commissioner's Office) or in the case of a cross-border breach, to the lead authority. Additionally in certain cases a breach must be communicated to the individuals whose personal data have been affected by the breach.
Under the Data Protection Act 1998, whilst breach reporting is encouraged, there is no legal obligation on data controllers to report a breach. The GDPR will make breach notification mandatory for all controllers, unless a breach is unlikely to result in a risk to the rights and freedoms of individuals.
The Article 29 Working Party ("WP29") has published updated and finalised guidelines on personal data breach notifications (the "Guidelines"), following its consultation on a draft version published in October 2017 (as reported in our October bulletin).
What is a personal data breach?
"Personal data breach" is defined in Article 4(12) GDPR as: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."
Examples of a breach cited in the Guidelines include: a) where a device containing a copy of a controller's customer database has been lost or stolen; or b) where the only copy of a set of personal data has been encrypted by ransomware.
Types of breach
Breaches can be categorised according to the following security principles:
- Confidentiality breach - where there is an unauthorised or accidental disclosure of, or access to, personal data.
- Integrity breach - where there is an unauthorised or accidental alteration of personal data.
- Availability breach - where there is an accidental or unauthorised loss of access to, or destruction of, personal data (include where data has been deleted either accidentally or by an unauthorised person).
Consequences of breach
A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage (e.g. loss of control over their personal data, identity theft or fraud, financial loss, damage to reputation). Accordingly, the GDPR requires the controller to notify a breach to the competent supervisory authority, unless it is unlikely to result in a risk of such adverse effects taking place.
Notification to the supervisory authority
Article 33(1) GDPR provides that when there has been a breach, the controller shall without undue delay and (where feasible) not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
WP29 considers that a controller should be regarded as having become "aware" when it has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. For example, there can be no doubt that a controller has become "aware" if:
- a third party informs a controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure;
- a controller detects that there has been a possible intrusion into its network, checks its systems and confirms that personal data has been compromised;
- a cybercriminal contacts the controller after having hacked its system in order to ask for a ransom, and after checking its system the controller confirms it has been attacked.
Processor obligations
Article 33(2) GDPR provides that if a processor is used by a controller, the processor must notify the controller "without undue delay" upon becoming aware of a breach.
The Guidelines state that the processor does not need to first assess the likelihood of risk arising from a breach before notifying the controller; it is the controller that must make this assessment on becoming aware of the breach. The processor just needs to establish whether a breach has occurred and then notify the controller.
Helpfully, the Guidelines provide that the controller should only be considered as "aware" once the processor has informed it of the breach. WP29 recommends that the contract between the controller and processor should specify how the requirements expressed in Article 33(2) should be met in addition to other provisions in the GDPR. WP29 had previously considered that a controller was ‘aware’ of a personal data breach from when the processor became aware. This clarification is considered likely to assist negotiations between controllers and processors, as it will be more acceptable to agree a default position that a processor should only notify “without undue delay”, rather than being asked to respond within a specific timeframe (e.g. 24 or 48 hours) to support the controller's obligations to report to the supervisory authority within 72 hours.
Information to be provided to the supervisory authority
Article 33(3) GDPR states that upon notification a controller needs to (as a minimum) provide details to the supervisory authority of (i) the categories of data subjects and of data records concerned; (ii) the point of contact regarding the breach; (iii) the likely consequences; and (iv) the preventative measures taken to address the breach.
When notification is not required
Breaches that are unlikely to result in a risk to the rights and freedoms of natural persons do not require notification to the supervisory authority. For example, if a securely encrypted mobile device, utilised by the controller and its staff, is lost, provided that the encryption key remains within the secure possession of the controller and this is not the sole copy of the personal data, then the personal data would be inaccessible to an attacker and the breach is unlikely to result in a risk to the rights and freedoms of the data subjects in question.
Communication to individual data subjects
As well as notifying the supervisory authority, when a breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is also obliged to communicate the breach to the data subject without undue delay (Art 34(1) GDPR). The Guidelines state that the objective of notification to individuals is to provide specific information about steps they should take to protect themselves. Note that the threshold for communicating a breach to individuals is higher than for notifying supervisory authorities, and not all breaches will need to be communicated to data subjects.
The Guidelines suggest that the notification should at least provide the following information:
- a description of the nature of the breach;
- the name and contact details of the data protection officer or other contact point;
- a description of the likely consequences of the breach; and
- a description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
This should be communicated to the affected data subjects directly, unless this would involve a disproportionate effort, in which case a public communication or similar alternative approach should be taken. WP29 considers that controllers are best placed to determine the most appropriate contact channel to communicate a breach to individuals, particularly if they interact with their customers on a frequent basis.
If a controller considers it meets one of the three conditions under Article 34(3) GDPR that mean that is not required to notify individuals in the event of a breach (e.g. the controller has applied appropriate technical and organisational measures to protect personal data prior to the breach, in particular those measures that render personal data unintelligible to any person who is not authorised to access it), following the accountability principle under the GDPR, controllers must document and be able to demonstrate to the supervisory authority that they have met one or more of these conditions.
Record keeping
Regardless of whether or not a breach needs to be notified to the supervisory authority, the controller must keep documentation of all breaches.
WP29 recommends that the controller also document its reasoning for the decisions taken in response to a breach. In particular, if a breach is not notified, a justification for that decision should be documented, including why the controller considers the breach is unlikely to result in a risk to the rights and freedoms of individuals.