When should a data controller or processor notify a personal data breach?

The background

The GDPR introduces a mandatory obligation on data controllers to report certain types of personal data breaches to the competent national supervisory authority and the individuals whose personal data has been affected. Data processors must also notify any breach to their controller.

The development

The Article 29 Working Party (WP29) has adopted revised guidelines which are designed to assist controllers and processors in assessing whether it is necessary to notify and to react appropriately when a notifiable breach occurs.

What is a personal data breach?

Article 4(12) of the GDPR defines a personal breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

According to the guidelines, breaches can be categorised as:

  • confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data;
  • availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, personal data; and
  • integrity breach – where there is an unauthorised or accidental alteration of personal data.

When should a data controller notify a personal data breach?

Article 33 of the GDPR requires that a data controller report a personal data breach to the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The WP29 considers that a controller can be considered to have become “aware” of a breach when it has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. The revised guidelines clarify that a controller only becomes “aware” of a breach at processor level when the processor notifies the breach to it, as opposed to when the processor becomes aware. However, the revised guidelines also now refer specifically to Article 87 of the GDPR and state this places controllers under an obligation to ensure that that they become “aware of any breaches in a timely manner”. This reading of Article 87 therefore places a practical burden on controllers to gear up in terms of technology, staff and internal processes to ensure consistent and effective risk assessment so that breaches can be notified promptly.

The guidelines set out some practical steps that should be taken in all cases:

  • information concerning all security-related events should be directed towards a responsible person or persons with the task of addressing incidents, establishing the existence of a breach and assessing risk;
  • risk to individuals as a result of a breach should then be assessed (likelihood of no risk, risk or high risk), with relevant sections of the organisation being informed;
  • notification to the supervisory authority, and potentially communication of the breach to the affected individuals should be made, if required; and
  • at the same time, the controller should act to contain and recover the breach.

Data controllers should also ensure that they record each breach (as this is an express requirement under Article 35(5) of the GDPR). The WP29 recommends recording the reasoning for decisions taken in response to a breach and clarifies that it will be incumbent on the controller to determine the appropriate period of retention for the breach record(s).

What about data processors?

If a processor becomes aware of a breach, it must notify the controller “without undue delay”. The WP29 is clear in its revised guidelines that the processor does not need to assess the likelihood of risk arising from a breach before notifying the controller. It is the controller that must make this assessment on becoming aware of the breach, the controller being deemed to have such awareness as soon as notification is received. Notably, the WP29’s original recommendation of immediate notification by the data processor has been reduced in the revised guidelines to prompt notification, reflecting more accurately the GDPR requirement of notification “without undue delay”.

What should a notification include?

The guidelines state that the minimum information to be provided in a notification includes:

  • the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer (DPO) or other contact point where more information can be obtained;
  • the likely consequences of the breach; and
  • the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

When should individuals be notified?

A data controller is required to communicate a personal data breach to the data subject without undue delay when the personal data is likely to result in a high risk to the rights and freedoms of natural persons.

The WP29 says:

  • "without undue delay" means “as soon as possible”; and
  • a high risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss and damage to reputation.

The WP29 identifies the following criteria that should be taken into account when assessing risk:

  • the type of breach;
  • the nature, sensitivity and volume of personal data;
  • ease of identification of individuals;
  • severity of consequences for individuals;
  • special characteristics of the individual;
  • the number of affected individuals; and
  • special characteristics of the data controller.

The WP29 says that when notifying individuals, Article 34(2) requires that the controller should at least provide the following information:

  • a description of the nature of the breach;
  • the name and contact details of the DPO or other contact point;
  • a description of the likely consequences of the breach; and
  • a description of the measures taken or proposed to be taken by the controller to address the breach.

The controller should also, where appropriate, provide specific advice to individuals to protect themselves from possible adverse consequences of the breach, such as resetting passwords.

The WP29 recommends that controllers should choose a means that maximises the chance of properly communicating information to all affected individuals. In its view, for example, a notification solely confined within a press release or corporate blog would not be an effective means of communicating a breach to an individual.

Why is this important?

If data controllers fail to notify a personal data breach, a fine of up to €10m or up to 2% of global annual turnover can be imposed. In some cases, the failure to notify a breach could reveal either an absence or an inadequacy of security measures and the supervisory authority may also issue a second sanction for the absence of (adequate) security measures (this could be up to €20m or up to 4% of global annual turnover).

Any practical tips?

Where doubt exists as to whether the obligation to notify a breach arises, data controllers should err on the side of caution. Likewise, processors should notify their controllers promptly if a breach is suspected although, as the revised guidelines acknowledge, it is not incumbent upon them to assess the likelihood or degree of risk arising from the breach.

Data controllers and processors should have a documented notification procedure in place, setting out the process to follow once a breach has been detected, including how to contain, manage and recover the incident, as well as assessing risk, and notifying the breach. To show compliance with the GDPR it would be useful to demonstrate that employees have been informed about the existence of such procedures and mechanisms and that they know how to react to breaches.

Carrying out a Data Protection Impact Assessment should also be considered best practice for ensuring that a personal data breach is unlikely to occur but if it does, that it is understood and acted upon without undue delay, in compliance with the new notification requirements.