This is part two of a five-week series discussing General Data Protection Regulation (GDPR) and its implications for U.S. businesses and organizations.
As part of the new GDPR, part of what businesses will have to comply with are data breach reporting obligations. The GDPR’s notification requirements are triggered when a business becomes aware of a data breach. Companies will have different reporting obligations depending on whether they are considered a data controller or data processor. A controller is any business that has some amount of authority to determine how data is processed. A processor is the business that takes the controller’s directions and processes the data for the controller. A controller or processor’s duties only kick in when a personal data breach occurs. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Once a controller is aware of a data breach, it has to notify the entity that has been set up to be its supervising authority without undue delay. The controller’s supervising authority is going to be an independent public authority established by the EU member nation where the controller’s main place of business is located or the EU member nation where the data breach impacts a substantial amount of individuals. While this notification has to be without undue delay, it can be no later than seventy-two hours of when the business becomes aware of the data breach. If the controller fails to meet the seventy-two hour requirement, it will have to provide an explanation for why it didn’t, such as law enforcement requested that it delay notice. However, no notification is required if the data breach is unlikely to result in a risk of harm to individuals. Regardless of whether a notification is required, the company must keep records detailing how and why the breach occurred for each breach it suffers.
A business classified as a processor has less stringent notification requirements under the GDPR than businesses that are considered controllers. First, there is no seventy-two hour notification requirement for a processor. Instead, a processor only has to notify the breached data’s controller without undue delay when the processor becomes aware of the data breach. In addition, a processor has no governmental notification obligation like a controller does. Again, there is no notification requirement if the data breach has no risk of harm to the affected individuals.
Notification Content and Documentation Requirements
A controller’s governmental notification must include the following elements:
- A description of the breach, including the types and amount of data affected and the number of affected individuals;
- The name and contact information of the company’s data protection officer or some other contact person an affected individual can contact for information about the breach;
- A description of the data breach’s consequences and effects; and
- A description of what the company has done to stop and address the breach and any efforts the company has taken to prevent adverse effects from the breach.
Individual Notification Requirements
In addition to a governmental notification, a business classified as a controller will have to separately notify each affected individual of the breach if the breach is likely to result in a high risk of harm to the individual. This individual notification must come without undue delay. In addition, the individual notification has to describe the breach in plain and clear language, as well as include the information described above.
However, this individual notification is not required if any of the following exceptions apply:
- The data that was breached was encrypted;
- The company has taken measures following the breach that insure there will not be a high risk of harm to the affected individuals; or
- The cost and effort to notify each individual is disproportionate to the amount of affected individuals or harm they would suffer.
If individual notification is exempted due to the disproportionate effort it would take to separately notify each affected individual, a company must still notify affected individuals by public means. If a company notifies by this public method, the public notification must be as effective as a separate individual notification would have been.
Sanctions for Non-Compliance
A business that fails to meet the notification requirements outlined above can be fined up to four percent of its annual global turnover or €20,000,000, whichever is higher. Businesses can also be exposed to lesser fines for minor infringements of the GDPR. Additionally, individuals affected by a data breach have the right to file a complaint or seek a judicial remedy against a business for its failure to comply with the GDPR’s notification requirements.