What should you do if your company is affected by a cyber-attack and hackers purchase your employees’ personal data, or one of your employees loses a USB stick or laptop containing personal data? Guidance issued by the Article 29 Data Protection Working Party (‘WP29’) on 3 October 2017 has clarified the steps organisations should take in dealing with personal data breaches.
Under the General Data Protection Regulation organisations acting as data controllers must notify a data breach when there is a risk to data subjects’ rights and freedoms. Data processors (any person or organisation processing data for the controller) also have a role to play, since they must notify all breaches to the data controller. A distinction has to be made between notifying the supervisory authority and notifying the data subjects affected by a data breach.
Notification of the data breach to the supervisory authority
A data controller is obliged to notify a data breach when there is a risk to data subjects’ rights and freedoms. There will be such a risk where the loss of personal data could lead, for example, to identity theft or fraud, financial loss or reputation damage.
In this case, the controller must notify the breach to the supervisory authority without undue delay, and (where feasible) not later than 72 hours after having become aware of it. If it is not possible to notify within 72 hours, the notification must be accompanied by reasons for the delay when it is made.
What does ‘become aware’ mean?
According to WP29, a controller has ‘become aware of a breach’ when they have a reasonable degree of certainty that a security incident involving personal data has occurred. This will vary from case to case, but if an incident occurs, it is important to investigate whether the security of personal data has been breached, and if so, to take action and notify the breach if necessary.
In order to conduct such an investigation, the controller should have internal processes in place to detect and handle the breach. Furthermore, the controller must document all breaches.
Where a Data Protection Officer (‘DPO’) has been appointed, the DPO acts as a contact point for the supervisory authority and the data subjects affected by the breach of data privacy.
When the data breach presents a high risk to data subjects’ rights and freedoms, the controller must also communicate that breach to the affected data subjects. The controllers can seek advice from the supervisory authority on whether they have to be informed or not.
Notifying data subjects affected by a personal data breach
Where a data breach is likely to result in a high risk to a data subject’s rights and freedoms, the data controller should notify the affected individual ‘without undue delay’. To assess whether there is a high risk, the data controller should take into account the specific circumstances. For example, when medical records come into the hands of unauthorised parties, the risk to the rights and freedoms of the data subject concerned will be higher than if those records had simply been lost.
When there is a high risk to the data subject’s rights and freedoms, they must be notified regarding the breach. This notification must include both the nature of the breach, and proposed measures to mitigate its possible adverse effects (for example, changing the individual’s password).
In principle, the affected subjects should be notified individually, unless doing so would be disproportionate. If this is the case, affected data subjects can be informed by a public communication, for example by a prominent website banner, a newsletter or a general email. It is extremely important that as many data subjects as possible are reached and that information regarding the breach is communicated in clear language.
Consequences of not notifying a data breach
If a breach is not notified to the supervisory authority or to the data subjects affected where necessary, this may lead to an administrative fine of EUR 10,000,000 or 2% of the employer’s total worldwide annual turnover in the foregoing financial year, whichever is the greater.
Preparing to manage a data breach
Organisations should prepare a plan to detect and handle data breaches, to determine the risk for data subjects and to notify those affected by the breach if necessary. Notification to the supervisory authority must also be a part of this plan.
The plan should cover:
Dealing with a data breach when it happens
Where you identify or are informed of a safety incident involving a breach of personal data, consider adopting the three-step plan below.
Step 1: Check if the breach could result in a risk to data subjects’ rights and freedoms (such as identity theft or fraud, or reputational damage).
No? No requirement to notify the supervisory authority or the data subjects affected.
Yes? You must notify the supervisory authority within 72 hours of becoming aware of the breach.
Step 2: Check if the breach results in a high risk to data subjects’ rights and freedoms.
No? No requirement to notify the data subjects affected.
Yes? You must notify the affected data subjects of the breach and inform them of the measures they can take to mitigate the damage.
Step 3: Document all data breaches (including facts, consequences and corrective measures adopted).