28 Nov Article 29 Working Party publishes Guidelines on Personal data breach notification under GDPR

Background information / scenario

On 18 October, the Article 29 Working Party (hereinafter, “WP29”) published its Guidelines on Personal data breach notification under Regulation 2016/679 (“Guidelines”). The Guidelines are not, however, final as stakeholders have until 28 November 2017 to provide their comments and feedback.

The EU General Data Protection Regulation (hereinafter, “GDPR”) introduces the requirement for a personal data breach to be notified to the national competent Data Protection Authority (pursuant to Article 33 of the GDPR) and, in certain cases, to be communicated to the individuals whose personal data have been affected by the breach (pursuant to Article 34 of the GDPR).

Main issue

The WP29 Guidelines aim to explain the GDPR mandatory breach notification and communication requirements and some of the actions that controllers and processors can implement to comply with these new obligations. Furthermore, an Annex is dedicated to a list of non-exhaustive examples of personal data breaches scenarios, which is intended to assist controllers in determining whether they need to notify a certain data breach and to whom.

A number of distinctive elements of the Guidelines are summarised below.

• What is a personal data breach?

According to Article 4(12) of the GDPR a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This means that a personal data breach is a security incident occurring to personal data, that makes the controller unable to ensure compliance with the principles relating to the processing of personal data as outlined in Article 5 of the GDPR. In its Opinion 03/2014, WP29 defined three categories of personal data breaches:

– “Confidentiality breach”: unauthorised or accidental disclosure of, or access to, personal data.
– “Availability breach”: accidental or unauthorised loss of access to, or destruction of, personal data.
– “Integrity breach”: unauthorised or accidental alteration of personal data.

• When to notify?

According to Article 33(1) of the GDPR, “in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.

WP29 specifies that a controller should be regarded as having become aware when, taking into account the circumstances of the specific breach, the controller has reasonable degree of certainty that a security accident has occurred, compromising personal data. Once the controller has established that a breach has occurred it shall notify the supervisory authority without undue delay and, where feasible, within 72 hours.

The GDPR recognises that controllers may not have all the necessary information concerning a breach within 72 hours of becoming aware that it has occurred. It therefore allows for the notification to take place in phases, provided that the supervisory authority is informed that the controller will provide more information after the first notification. The framework set out by the GDPR aims to encourage processors and controllers to act promptly after a breach, contain it and, if possible, recover the compromised personal data and to immediately seek relevant advice from the supervisory authority.

To a certain extent, the GDPR allows for delayed notifications, but in such cases notification to the supervisory authority shall be accompanied by reasons for the delay.

• Consequences of failure to notify

If controllers fail to notify the data breach to the supervisory authority or to communicate it to the data subjects (infringement of Articles 33 and 34 of the GDPR), the supervisory authority will have the possibility to issue administrative fines, whose value can be up to 10,000,000 EUR or up to 2 % of total worldwide annual turnover (Article 83 (4)(a)). Nevertheless, where the failure to notify a breach reveals an absence or inadequacy of existing security measures, the supervisory authority may also issue sanctions for the infringement of Article 32 of the GDPR.

• What information to provide?

According to Article 33(3) of the GDPR, the notification of the data breach should contain, at the minimum:

– a description of the nature of the personal data breach, including where possible, the categories (for instance, children or employees) and the approximate number of data subjects concerned as well as the categories and approximate number of personal data records concerned (such as health data or bank account numbers);
– the name and contact details of the data protection officer or other contact point where more information can be obtained;
– a description of the likely consequences of the personal data breach;
– a description of the measures taken or proposed to be taken by the controller to address the personal data breach.

Further details can be provided by the controllers and may be requested by the supervisory authority during its investigations into the breach.

• What happens in case of beaches affecting more than one Member State?

In case of a breach affecting data subjects in more than one Member State, the controller should notify the lead supervisory authority, which can be identified, accordingly to Articles 55 and 56 of the GDPR, as the supervisory authority of the main establishment or of the single establishment of the controller or processor. In case of doubt as to the identity of the lead supervisory authority, the controller shall, at the minimum, notify the local supervisory authority where the breach has taken place. Nevertheless, the controller should also indicate whether the breach involves establishments located in other Member States, and in which Member States data subjects are likely to have been affected by the breach.

• When notification is not required

According to Article 33(1) of the GDPR, breaches that are “unlikely to result in a risk to the rights and freedoms of natural persons” do not require notification to the supervisory authority.

For example, in case of loss of a securely encrypted mobile device utilised by the controller and its staff, the breach would not require notification to the supervisory authority. Provided the encryption key remains within the secure possession of the controller and this is not the sole copy of the personal data, the personal data would be inaccessible to an attacker. This means the breach is unlikely to result in a risk to the rights and freedoms of the data subjects in question.

• When is communication to data subject required?

In addition to notifying the supervisory authority, according to Article 34(1) of the GDPR, the data controller is also required to communicate a breach to the affected individuals, “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”. The communication should be done as soon as possible (namely “without undue delay”) and aims to provide individuals with specific information about the steps they should take to protect themselves. This could also be done by providing specific advice to individuals to protect themselves from adverse consequences of the breach (for instance, resetting passwords).

Furthermore, breaches should be communicated to the concerned individuals directly with dedicated and transparent methods of communication which can ensure individuals understand the information being provided to them (e.g., email, SMS or prominent website banners in relevant languages).

Notification to individuals is not required when:

– the controller has applied appropriate technical and organisational measures to protect personal data prior to the breach (such as state-of-art encryption);
– immediately following a breach, the controller has taken steps to ensure that the high risk posed to individuals’ rights and freedoms is no longer likely to materialise;
– it would involve disproportionate effort to contact individuals.

• How to assess risk and high risk?

The controller should not only seek to contain the incident but also to assess the risk resulting from it. In fact, notification of a breach to the supervisory authority is required when there is a likely risk to the rights and freedoms of the individuals. Communication of a breach to the individual is only triggered when it is likely to result in a high risk to their rights and freedom of the individuals.

When assessing the risk, WP29 suggests taking into consideration the following factors: the type of breach, the nature, sensitivity, and volume of personal data, the ease of identification of individuals, the severity of consequences for individuals, the special characteristics of the individual and the data controller and the number of affected individuals.

• Accountability and record keeping

The controller must maintain documentation of all the breaches that occur regardless of whether they are required to notify or not, also in order to demonstrate its compliance with the provisions of the GDPR.

For this purpose, an internal register of breaches should be kept that records all details concerning the breach (such as its causes, what took place and the personal data affected) as well as the effects and consequences of the breach and the remedial action taken by the controller.

Practical implications

The Data controllers should:

• implement appropriate data security policy which aims to enable, where possible, the prevention of a breach and, when it nevertheless occurs, to react to it in a timely manner;
• detail security measures and mechanisms in incident response plans and/or governance arrangements in order to effectively plan and determine who has operational responsibility within the organisation for managing a breach and how or whether to escalate an incident as appropriate;
• have arrangements in place with its processors that impose an obligation to promptly notify the controller in the event of a breach;
• in case of cross-border processing, make an assessment, when drafting its response plan, as to which supervisory authority is the lead supervisory authority that it will need to notify;
• keep an internal register of personal data breaches.