To date, GDPR headlines have mainly focused on the threat of heavy fines. However, the Information Commissioner’s Office (the ‘ICO’) has made it clear that issuing fines has always been, and will continue to be under the GDPR, a last resort (see here). Rather, the most immediate impact of the GDPR following a data breach is the new obligation under Article 29 to notify both the ICO and those individual data subjects affected by data breaches. These individuals are most likely to be the clients, customers, suppliers and other contacts upon which your organisation relies and, following any significant data breach, notification may lead to that breach becoming public.
Under the existing Data Protection Act 1998, there is no obligation to notify individual data subjects. Whilst some organisations do currently notify customers of data breaches, this may be low down the list of priorities rather than forming part of an immediate response strategy. Under the GDPR, this will have to change given the tight deadlines within which to notify where necessary, and the possible consequences of failing to do so.
The notification requirements are set out in Articles 29 and 33 - 35 of the GDPR, which create further financial consequences for non-compliance. Crucial definitions are left undefined in the GDPR itself, but the Article 29 Data Protection Working Party (the ‘WP29’) is consulting upon comprehensive guidance on the topic (the ‘Guidelines’ here). These Guidelines shed light on those undefined terms and provide examples of when you should, and should not, notify. In the event of a breach under the GDPR, there is no substitute for consulting these Guidelines.
In the meantime, under the GDPR, the key to protecting your reputation in the event of a data breach will be formulating an adaptable and comprehensive response plan. To help formulate that response plan, here is a summary of the key issues you should be considering now.
What constitutes a personal data breach?
The definition of a ‘personal data breach’ within the GDPR (article 4(12)) provides little help to organisations in determining whether or not a breach has occurred. Helpfully, the Guidelines have categorised three types of breach:
- Confidentiality breach: the disclosure of, or access to, the data by an unauthorised person;
- Availability breach: the loss of access to, or destruction of, the data; and
- Integrity breach: an alteration of the data
The Guidelines rely upon practical examples of problems that could occur in a normal working environment. One example of a data breach which would surprise many organisations is an ‘availability breach’ where a customer’s personal data is unavailable for a certain period of time due to a system shut down.
When does a data controller become ‘aware’ of a breach?
Awareness, as suggested by the WP29, occurs when the data controller has a ‘reasonable degree of certainty’ that the breach has occurred. Undoubtedly, there will be some instances when it is unclear whether or not a breach has occurred. To provide for these situations, organisations will have a ‘short period’ of time to carry out an investigation after first being informed about a potential breach. During that initial investigation, they will not be considered to be ‘aware.’ Unhelpfully, ‘short period’ is not defined in the Guidelines, but it is suggested this should be ‘no longer than is necessary’ to establish ‘with a reasonable degree of certainty’ whether or not a breach has occurred.
For example, it has been widely reported in March this year that Deloitte discovered that hackers had had access to its systems since November 2016. Under the GDPR regime, if Deloitte had not had any reason to believe that its systems had been hacked back in November 2016, it would not have been considered as having been ‘aware’. Thereafter, after first realising that the hack might have occurred, Deloitte would have been allowed a short period of time to investigate before becoming obliged to notify.
Not only does this give organisations a reprieve, but it also prevents unnecessary notifications being made. If, after the short initial investigation, you establish that there is a ‘reasonable degree of likelihood’ that a breach has occurred, the clock will start ticking from the moment of that discovery.
As part of your response plan, you should therefore start thinking about who will conduct these investigations, and how these will be conducted.
When should notification take place?
The GDPR specifies that notification to the ICO should take place “without undue delay” and, “where feasible,” within 72 hours (or else notification needs to be accompanied with reasons for the delay). Notification to data subjects is not subject to the same time limit, simply being required “without undue delay.”
However, not all personal data breaches need to be notified. Data controllers are only required to notify the ICO when a breach is “likely to result in a risk to the rights and freedoms of the individual.” The threshold for notifying individuals is higher. Notifications are only required where there is a high risk to their rights and freedoms. The rationale behind this is to avoid “notification fatigue” – a consequence of individuals being unnecessarily notified every time a breach occurs, even if small and insignificant.
To help you assess the risk attached to a breach, the WP29 has provided the following list of factors to consider:
- The type of breach
- The nature, sensitivity and volume of personal data affected
- How easy it is to identify individuals from the data
- The severity of the consequences for individuals
- Any special characteristics of the individual
- The number of individuals affected
- Special characteristics of your organisation (as the data controller)
With respect to an availability breach, whilst this would not necessarily constitute a notifiable breach in most circumstances, individual data subjects may need to be notified in an organisation such as the NHS where the unavailability of patients’ medical records could present a serious risk to their health.
The GDPR allows for a two-stage notification process, meaning you can make the first notification as early as possible, even where you don’t yet know the full impact of the breach. This is particularly helpful given the 72-hour deadline for informing the ICO. Once the initial notification is made, you then have time to conduct a further investigation, after which you can submit a more detailed notification.
If you are ever unclear whether or not you are obliged to notify the individuals affected, you could liaise with the ICO. Working with your regulator means sharing the decision-making burden and, ultimately, being confident that whatever decision is made is the right one.
How should you notify individuals affected?
When it comes to notifying individuals, there is some flexibility to allow for different types of individual and breach. In the most serious of breaches, for example, where there is an immediate risk to the personal or financial security of the individual, the WP29 recommends contacting individuals via several different means (for example, via email, text message, notifications on websites or even through advertising).
What to include in the notification?
It is important not to lose sight of the purpose of the notification requirement, which is to help individuals decide what steps, if any, they can take to reduce the damage (for example, cancelling their credit cards or resetting their passwords). To that end, the Guidelines set out what information to include in the notification, including details of any damage limitation measures the organisation has taken. The WP29 also recommends providing specific advice to individuals about how they themselves can limit the damage.
Individuals must be able to understand, and therefore act upon, the notification. The detail and means of transmission of any notification should be considered ahead of time in your organisation’s response plan.
Failure to comply with the notification obligation can result in a fine of up to €10,000, or 2% of an organisation’s global turnover (whichever is higher). However, if your organisation can demonstrate it has a responsible response plan and has been proactive in identifying and remedying the breach, this will be important in helping to mitigate the regulatory consequences of such a breach. Other factors the ICO will take into account when considering administrative fines include the gravity and duration of the infringement, whether there have been any previous infringements, the degree of cooperation with the ICO, and the manner in which the infringement became known to the ICO. The WP29’s guidance on administrative fines can be found here.
What you should be doing now
- Putting in place a data breach response plan. This will need to be continually reviewed and updated, and adapted and applied on a case by case basis.
- Reviewing your contracts with data processors. You, as a data controller, will remain responsible for any breaches by processors you have engaged. Those contracts should therefore impose obligations on data processors to notify you as soon as they become aware of a breach. This will be crucial in enabling you to meet your own notification obligations.
- Reviewing your organisation’s systems and IT security measures. The best way to avoid grappling with the new notification obligations is to put in place measures to minimise the risk of data breaches. If robust enough, it will be these systems that will prevent data breaches occurring in the first place.
This new notification obligation will almost certainly motivate compliance with the GDPR. After all, once lost, reputation is not so easily won back.