One of the key changes under the GDPR will be the change to reporting personal data breaches. Under the current legislation, most organisations are not generally legally required to report personal data breaches, albeit it is good practice to report serious data breaches.
Under the GDPR, it will be mandatory to record all personal data breaches and, additionally, to report breaches to the supervisory authority unless there is unlikely to be a risk to the rights and freedoms of individuals. High-risk breaches will also need to be reported to the affected individuals (subject to some exceptions). Processors will also have a duty to notify breaches to their controllers without undue delay.
The Article 29 Working Party (“WP 29”) has proposed guidelines on the data breach rules, including on how to approach the risk assessment and determine whether a breach needs to be reported, and when and how breaches should be notified and documented. In terms of the risk assessment, the guidelines state that controllers will need to consider factors such as the nature, sensitivity and volume of personal data and the severity of the consequences for the individuals – for example, where the breach involves special categories of personal data such as data about health or sex life or personal data about vulnerable individuals, the potential damage to individuals could be particularly severe and there may be more risk. It is important to bear in mind that personal data breaches do not necessarily have to be cyber-attacks and can take various forms, including confidentiality breaches (unauthorised disclosures of personal data), availability breaches (the unauthorised or accidental loss or destruction of personal data) and integrity breaches (the unauthorised or accidental alteration of personal data).
One of the key points in the guidelines is around the timing of notifying breaches to the supervisory authority. The GDPR requires controllers to notify reportable breaches without undue delay and, where feasible, within 72 hours after having become “aware” of the breach. According to the guidelines, a controller should be considered to be aware when it has “a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”. In the case of a loss of a CD with unencrypted data this will be when the controller realises the CD has been lost. However, crucially, where the controller uses a processor to process personal data on its behalf, the WP29 considers it will be aware when the processor has become aware (whether or not the processor has actually notified the controller). Controllers may therefore wish to impose additional contractual obligations on their processors to flag breaches promptly, potentially with a short backstop, to enable them to review and report breaches in time.
The guidelines indicate that the GDPR requirement for controllers and processors to implement appropriate technical and organisational security measures will include having processes to react to breaches in a timely manner. To help organisations comply with their obligations, the WP 29 suggests having a documented notification procedure, setting out the process to follow once a breach has been detected, including how to contain, manage and recover the incident, as well as assessing risk and notifying the breach. Delaying notifying a breach or failing to document a breach could lead to fines or other enforcement action.
The guidelines are open for consultation up to 28 November 2017.