Organisations must introduce processes for recognising, assessing and notifying data breaches according to new GDPR guidance issued by EU privacy regulators. The draft guidelines address when data controllers and processors are considered to be aware of a breach and the processes organisations should have in place to address data breaches.
Under article 33 of the General Data Protection Regulation (GDPR), controllers must notify the competent supervisory authority within 72 hours of becoming aware of a personal data breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. Controllers are also required to communicate personal data breaches to the concerned data subject when the breach is likely to result in a high risk to the rights and freedoms of natural persons under article 34. As the guidelines clarify, the threshold for notifying data subjects is therefore higher.
When Does a Controller Become Aware of a Data Breach?
According to the guidelines, a controller is aware of a data breach when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. Furthermore, the guidelines state that in principle, the controller should be considered aware when a processor who processes data on its behalf becomes aware.
New Processes Required
One of the main takeaways from the guidelines is the emphasis on controllers and processors having processes in place for responding to personal data breaches. In such a process:
- Information concerning security-related events should be directed towards responsible person or persons;
- the risk a breach poses to individuals should be assessed;
- the supervisory authority, and if necessary, the individuals concerned, should be notified; and
- the controller should act to contain the breach.
There is also an emphasis on the timeliness of notifications. Supervisory authorities must be notified within 72 hours of becoming aware of a breach, and failure to act in a timely manner could be considered a failure to notify. Individuals should be notified without undue delay so that they can take steps to protect themselves from the negative consequences of the breach.