In this issue, we will detail the new data breach notification obligations introduced by the GDPR and provide guidelines on how to implement appropriate processes internally in order to comply with such requirement.Check List
- Put in place or update a data breach management procedure, including incident identification systems and incident response plans
- Test and review such procedures and plans on a regular basis
- Implement appropriate technical and organisational measures to avoid breaches and limit their extent and gravity
- Raise awareness internally
- Update your controller / processor contracts (service agreements, etc.)
- Review current insurance policies in order to check and assess the extent of their coverage in case of a breach
Under the current EU legislative framework, there is no general obligation for controllers to report personal data breaches either to the data protection authority (DPA) or to data subjects. A sector specific requirement to notify breaches to the DPA however exists for providers of publicly available electronic communications services, as laid out in the Directive on Privacy and Electronic Communications of 2002 (E-privacy Directive).
This specific obligation was introduced in Luxembourg by the law of 28 July 2011 for such providers which must without undue delay notify the DPA in the case of a personal data breach.
The Luxembourg DPA has published on its website a specific data breach notification form that should be used.
When the personal data breach is likely to adversely affect the personal data or privacy of subscribers or individuals, the provider must also notify them of the breach without undue delay, unless the provider demonstrated to the satisfaction of the DPA that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach.
Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
The European regulation 611/2013 of 24 June 2013 which details the measures applicable to the notification of personal data breaches laid out in the E-privacy Directive has harmonized piecemeal legislation within the EU in this sector and is in line with the current regime in Luxembourg. The regulation, namely, provides a list of information that must be contained in notifications to subscribers.
New general data breach notification requirement for data controllers
The GDPR introduced in its article 33 and 34 a two-tiered approach with a specific regime for notifications to the DPA and notifications to data subjects.
1. Notification to the DPA
When - In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent DPA, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
This 72 hours deadline is likely to prove quite challenging and raises many questions regarding its practical application. Indeed, companies will have a very short timeframe in order to identify the breach, assess the cause, determine the extent of the failure and, based on a risk-assessment, determine whether such breach will need to be reported or not.
If a breach has occurred, controllers will have to determine whether a notification is necessary or not, based on the likelihood of this breach resulting or not in a risk to the rights and freedoms of data subjects. This risk-based assessment will need to be made in concreto taking into account the relevant applicable circumstances which will namely include the nature of the data, the gravity of the breach together with the potential consequences of the breach (disclosure of important business related information, financial loss, reputational damages, etc.) and the technical and organisational measures in place. Upon a decision not to notify, the controller must be able to demonstrate if needs be, in accordance with the accountability principle, that the breach was unlikely to result in a risk for the rights and freedoms of data subjects.
In order to be able to meet such deadline, controllers will have to implement a very detailed Data Breach Incident Management Plan (DBIM Plan) as described below.
What – The notification shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
How – There is no specific form prescribed for the notification, which, until further guidelines are issued, may be made through a letter sent with acknowledgement of receipt.
2. Notification to data subjects
When - When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the data subject without undue delay.
We will have to wait for the European Data Protection Board to issue guidelines on the notion of undue delay and the circumstances in which a data processor is required to notify a personal data breach.
Exemption - The communication to the data subject will not be required if any of the following conditions are met:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
- it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
- Controllers will have to assess very carefully whether they need to notify or whether they fall within one of those exemptions as a notification could increase potential reputational harm for a company.
What - The communication to the data subject must describe in clear and plain language the nature of the personal data breach and contain at least the following information:
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
3. Internal data breach register
The controller shall document any personal data breaches, however small it may be, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the DPA to verify compliance with the obligations of notification.
4. Data breach notification obligations for data processors
The processor shall notify the controller without undue delay after becoming aware of a personal data breach. This obligation is quite general as any breach of personal data must be reported and no exemptions are listed under the GDPR.
From a practical standpoint, customers (controller) / suppliers (processors) agreements will need to be updated to mirror the new data breach notification requirements.
Data controllers will need to contractually set out a clear regime and process for processors, introducing parameters for the timeframe of the notification and what should be the triggers of the beginning of this timeframe, a process for the notification and a requirement to cooperate and provide necessary assistance to the controller in order for the controller to comply with its notification obligations.
Data processors, on the other side, should make sure the process and parameters contractually agreed are technically realistic and manageable.
Data breach incident management plan
In line with the accountability principles, companies now have to put in place or update a DBIM Plan, including incident identification systems and incident response procedures.
The parameters taken into consideration while setting up a DBIM Plan will require cooperation mainly between the management team, legal team and IT teams in order to carefully create a tailor-made procedure for the company for dealing with a suspected data breach, implementing mitigating measures and, if necessary notify the DPA and/or data subjects.
The Plan must clearly determine elements such as, the starting point of the 72 hours timeframe, that is to say, when it should be internally considered that the company “became aware” of the breach (e.g. receipt of information from a data processor and confirmation from the IT team or signal from the IT team and confirmation of the launch of DBIM Plan from a designated person of management); internal organisation; persons responsible; information channels; coordination with the IT team.
The measures to be taken in order to mitigate the risk will have to be assessed on a case by case basis following a thorough risk-assessment.
New regime for providers of publicly available electronic communications services?
On January 2017, the European Commission issued a proposal of regulation that would replace the current E-privacy Directive and should enter into force on 25 May 2018, the same date as the implementation of the GDPR. This regulation contains wording that is very similar to the current wording applicable to data breach notifications in the current E-privacy Directive.
As the regulation does not repeal regulation 611/2013, and until then, technically, providers of publicly available telecommunications services will still have to notify breaches to the competent DPA following the regime established under regulation 611/2013. The question as to whether they may also have to do a notification under the GDPR remains unclear.
This new obligation will clearly create practical challenges for companies which have to start revisiting or creating new procedures for breach management.
Beyond the considerable potential financial sanction (an administrative fine of up to EUR 10,000,000 or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is the highest), the most important element for companies will be to manage and mitigate reputational harm. The key is clearly to set up, from now on, the maximum appropriate technical and organisational measures to avoid any breach and, if breaches occur, to have a strong and adapted DBIM Plan.