This is a new concept. The introduction of new breach notification requirements is a significant evolution from the current regime.
How does this concept differ from the current position?
Under current EU data protection law, the requirements to make notifications following data breaches are few and far between and generally only apply in certain sectors (e.g. the telecoms sector).
However, under the GDPR, a company will be legally obliged to inform its data protection regulator (and, in certain circumstances, the data subjects themselves) when security breaches which affect personal data occur. These obligations take different forms depending on whether the company is acting as a “data controller” or “data processor”.
Notification by data controllers – to the regulator
If a personal data breach occurs which is likely to pose a risk to the rights and freedoms of individuals affected, the data controller must notify its data protection regulator “without undue delay” and (where feasible) within 72 hours.
The notification will need to:
- describe the breach – including, where possible, by giving details of the approximate number/types of data subjects and data records affected
- identify the company’s data protection officer/other contact point who can deal with follow-up queries
- describe the likely consequences of the breach
- describe the measures taken or proposed to be taken to address the breach and mitigate its effects.
It will be possible to issue a holding response if the 72 hour timeline can't be met – but any delay in responding will need to be justified.
Notification by data controllers – to individuals affected
If a personal data breach occurs which is likely to pose a high risk to the rights and freedoms of the data subjects affected, the data controller must notify those data subjects “without undue delay”.
This type of notification will need to contain at least the information described in 2 – 4 above.
Notification by data processors – to the data controller
A data processor will need to notify the relevant data controller “without undue delay” of any personal data breach.
What will the impact be on your business?
These new requirements will impose a significant additional administrative burden on companies. Not only will specialist expertise need to be sourced internally or externally to ensure security measures meet the required standards, but resource will also need to be devoted to monitoring the performance of those security measures and then rapidly compiling the information required as soon as any breaches are registered.
Companies will therefore need to ensure that they have adequate monitoring systems and data collation processes in place, as well as making available the necessary personnel to pull together required information and liaise with regulators and the public as necessary.
What actions should you take to prepare?
- Review existing security measures and make necessary improvements.
- Train personnel on what constitutes a "data breach" and breach notification requirements.
- Put in place appropriate monitoring and data collation systems / processes.
- Develop an internal policy documenting how communications should be issued to regulators and data subjects in response to data security breaches.