On October 3, 2017, the Article 29 Working Party (“WP29”) adopted draft guidelines regarding notification of personal data breaches under the EU’s General Data Protection Regulation (“GDPR”) which will require breach notification within 72 hours of awareness of a breach. (“Draft Guidelines”) (The Draft Guidelines appear to have been released for public comment during the week of 16th October). The deadline for comment is November 24, 2017. The Draft Guidelines are available here. The WP29 is a collective of EU data privacy supervisory authorities (“DPAs”).
The WP29 guidance regarding personal data breaches has been long awaited. Organizations should carefully consider the Draft Guidelines and the finalized guidelines when these are published, and likely will need to update their incident response plans to facilitate compliance.
In general, under the GDPR, a controller must notify the:
- relevant DPA “without undue delay and, where feasible, not later than 72 hours after having become aware” of a breach unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”; and
- affected data subjects of the breach “without undue delay” where the breach is “likely to result in a high risk to the rights and freedoms of natural persons’
By contrast, a processor must notify all breaches to its controller “without undue delay” after becoming “aware” of breach.
The Draft Guidelines provide guidance regarding each of the controller’s and processor’s notification obligations. In particular, the Draft Guidelines contain guidance regarding:
- The meaning of “personal data breach”: According to the WP29, personal data breaches typically involve at least one of the following: (i) compromise of the confidentiality of data; (ii) breaches that render personal data unavailable (g., ransomware attack that encrypts the sole copy of relevant personal data); or (iii) unauthorized or accidental alteration of personal data. Significantly, in addition, according to the WP29, “any other form of processing which violates the GDPR” could also amount to a personal data breach.
- Breach notification timelines: Under the GDPR, controllers and processors must report breaches “without undue delay” after becoming “aware” of the breach. Once the controller has established with “a reasonable degree of certainty” that a breach has occurred, they are considered to have become “aware”, and they must notify “where feasible” within 72 hours of awareness. Regarding the processor’s obligations, the WP29 recommends that notification by the processor to the controller be “immediate” so as to assist the controller in meeting its notification timelines.
Importantly, according to the WP29, “in principle, the controller should be considered ‘aware’ once the processor has become aware.” If the processor’s knowledge is imputed to the controller, it could, in practice, significantly affect the controller’s ability to meet deadlines for reporting breaches to the DPA and affected individuals. The WP29 has, however, affirmed that in certain circumstances, notifications by controllers may occur in phases (e.g., when additional information regarding the breach becomes available), and delayed notifications may also be excused – but such delayed notifications should not “regularly take place”.
- Meaning of “risk”: As the concepts of “risk” and “high risk” are critical for the breach notification obligations, the WP29 sets out factors that must be considered by controllers with regard to the level of risk, namely, (i) the type of the breach; (ii) nature, sensitivity and volume of personal data; (iii) ease of identification of individuals; (iv) severity of consequences of individuals; (v) special characteristics of the individual; (vi) number of affected individuals; (vii) special characteristics of the data controller and (viii) other general considerations.
- DPA to whom breaches must be reported: Ordinarily, the controller should notify the DPA in the Member State in which it is established. For cross-border data processing, according to WP29, where there is a breach of personal data in this context, and data subjects are in more than one Member State, only the lead DPA needs be notified, though the controller may elect to notify other DPAs too.
- When controllers do not need to notify the DPA: Controllers will not need to notify the DPA of a personal data breach when the breach is ‘unlikely’ to result in a risk to the rights and freedoms of natural persons. The examples by the WP29 Group demonstrate that this exception will be narrowly construed (g. where the personal data is already publicly available and disclosure will not be a risk to the individual). Similarly, for example, if the personal data compromised has been encrypted and a backup copy of the data is available, controllers may not need to notify – so long as the encryption key remains secure.
- Notifying data subjects: Regarding the controller’s duty to notify data subjects of “high risk” breaches, according to the WP29, the main objective is to provide specific information to individuals about the steps they should take to protect themselves. There is no prescribed method for communicating to data subjects, but the Draft Guidelines provide that – unless certain narrow exceptions apply – communication should be made directly to each data subject.
- Recordkeeping: Regardless of whether a breach needs to be notified to the DPA or not, the controller must maintain records of all breaches, and these records should contain key information about the incident and response.
- DPO: The Draft Guidelines reiterate the importance of a data protection officer in notifying of a breach and in potential subsequent investigations by the DPA.