Insights & news

Article 29 Working Party Issues Guidelines on Data Breach Notification Under GDPR

  • 05/10/2017
  • Articles

On 3 October 2017, the Article 29 Working Party (“WP29”) adopted its draft Guidelines on personal data breach notification under the General Data Protection Regulation (the “Guidelines”). The Guidelines explain when to notify a breach and provide guidance on key obligations and concepts.

At the outset, the Guidelines stress the importance for controllers and processors to have in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed to the personal data being processed in order to prevent data breaches.

What Is a Personal Data Breach?

Under the GDPR, a “personal data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The WP29 explains that the concept includes breaches of:

  • confidentiality, i.e., if there is an unauthorised or accidental disclosure of or access to personal data;
     
  • availability: i.e., if there is an accidental or unauthorised loss of access to, or destruction of, personal data; or
     
  • integrity: i.e., if there is an unauthorised or accidental alteration of personal data.

The Guidelines offer examples of breaches, explaining that accidental deletion of data, temporary unavailability of a service or a ransomware attack can – depending on the specific circumstances – be regarded as a personal data breach and may have to be notified. 

When To Notify To Supervisory Authorities?

If a breach occurs, the controller and processor must in the first place have procedures in place to spot the breach and determine whether it relates to personal data in order to respond to it in a timely manner. This is because a personal data breach must be notified to the competent supervisory authority within 72 hours of the controller or processor becoming aware of it.

The WP29 clarifies that a controller will be considered to become “aware” of a data breach when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. The Guideline explains that the controller is not yet considered to be “aware” of the breach when it is still conducting an investigation to determine whether or not a personal data breach has occurred. As a result, the 72 hour term for notification to the supervisory authority does not begin to run during this investigation.

In order to comply with the GDPR, the WP29 states that the controller should have internal processes in place to be able to detect and address a breach. Furthermore, the controller should make arrangements with its processors, which themselves have an obligation to notify the controller in the event of a breach.

When a data breach has been discovered, the WP 29 recommends the following steps:

  • The organisation must appoint a responsible person or persons with the task of managing incidents, establishing the existence of a personal data breach and assessing risk. This person should be informed promptly about all security incidents.
     
  • Risk to individuals as a result of a breach should be assessed (the assessment should be made in terms of likelihood of no risk, risk or high risk), with relevant sections of the organisation being informed.
     
  • Notification to the supervisory authority, and potentially communication of the breach to the affected individuals should be made, if required.
     
  • At the same time, the controller should act to contain and recover the breach.

Second, the WP29 makes clear that the controller retains overall responsibility for the protection of personal data but notes that processors play an important role to enable the controller to comply with its obligations, including breach notification. The controller is considered as “aware” of the breach once the processor has become aware. The WP29 therefore recommends controllers to require processors to notify any breaches “immediately” with further information about the breach being provided as the information becomes available.

Third, the WP29 clarifies the content of the notification and offers the possibility of a staggered notification if the controller does not have all of the necessary information concerning a breach within 72 hours of becoming aware of it. WP29 therefore suggests that the controller should inform the supervisory authority if he intends to provide more information later on. The supervisory authority should agree how and when additional information should be made available.

Notification to Data Subjects

The GDPR provides that the controller or processor may have to inform the data subjects affected by the breach. Such a notification to the data subjects will be due when there is high risk to the rights and freedoms of individuals as the result of the breach. The controller or processor must notify the data subjects “without undue delay”, which means as soon as possible. Specific information must be provided about the steps which affected data subjects should take to protect themselves, e.g., changing passwords, monitoring bank accounts, etc. The WP29 stresses that, in order to achieve the objective of the communication to data subjects, controllers should choose a means that maximises the probability that the information reaches all affected individuals.

Risk Assessment

The WP29 explains that the data breach notification obligation is intended to protect data subjects and points out the importance of assessing the risk to the rights and freedoms of data subjects. In particular, there is a risk when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. When the breach involves sensitive data, the WP29 notes that such damage should be considered to be likely to occur. WP29 recommends that the risk assessment should consider the following criteria: type of breach; nature, sensitivity, and volume of personal data breached; ease of identification of individuals; severity of consequences for individuals; special characteristics of individuals (e.g., children); number of affected individuals; and special characteristics of the data controller.

Internal Data Breach Register

Finally, the WP29 encourages data controllers to keep an internal register of data breaches, including the “effects and consequences of the breach, along with the remedial action taken by the controller.” Furthermore, the WP29 recommends to document the reasoning for the decisions taken in response to a data breach, including justifications for not notifying the supervisory authority. Failure to do so can result in an administrative fine from the supervisory authority.

In this regard, the WP29 suggests that both controllers and processors should have a documented notification procedure in place, setting out the procedure to follow if a breach has been detected, including how to contain, manage and recover the incident, as well as assessing risk, and notifying the breach.

The Guidelines are not yet final and stakeholders may offer comments until 28 November 2017. The Guidelines can be found here

Search more insights

Related insights

Sign up for updates

Subscribe to our updates

Please select the practice areas you are interested in: *