Since the introduction of the General Data Protection Regulation “GDPR” on 25 May 2018 there has been a dramatic increase in breach notifications to relevant supervisory authorities across Europe, including to our own Data Protection Commissioner in Ireland. Under the regulations, article 33 requires a Data Controller to notify the relevant supervisory authority not later than 72 hours after first becoming aware of a personal data breach. The notification of the breach is made to the Data Protection Commissioner on a prescribed form and requires a description of the breach including the categories and approximate numbers of impacted individuals, the types and volume of data affected, a description of the likely consequences of the breach and any steps taken by the Data Controller to deal with the breach. Furthermore, where the breach is likely to result in a high risk to the affected individuals, those individuals must be notified with undue delay.
In the months coming up to 25 May, and subsequently, greater media coverage and campaigns by the relevant authorities have increased individuals’ and organisations’ awareness of their rights and obligations under GDPR. The potential fines of up to €20,000,000 or 4% of global turnover or €10,000,000 or 2% of their global turnover, depending on the seriousness and nature of the data breach, have also helped to focus people’s minds on the importance of data privacy.
Unfortunately, breaches do and will occur and for some organisations those breaches are on a very significant scale, some of the companies that have come under scrutiny for large scale data breaches in recent months include Ticketmaster, Harvey Norman and Air Canada. Whilst it is inevitable that data breaches will occur, the best course of action is prevention and so, by ensuring that security systems and processes are put in place to secure all personal data from accidental or deliberate disclosure, organisations can help to reduce and prevent these breach levels.