The EU General Data Protection Regulation (GDPR) introduces a mandatory data breach notification regime. Companies should develop or update their internal data breach notification procedures by May 2018. These should comprise incident identification systems as well as incident response plans.
Data breaches
Data breaches will have to be reported to the competent supervisory authority without undue delay and, where feasible, within 72 hours. A data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. It is important to note that no notification is required if the data breach is unlikely to result in a risk to the rights and freedoms of the persons affected. However, guidance on how to determine such risk to the rights and freedoms of data subjects is yet to be provided. The European Data Protection Board (EDPB) is expected to issue further guidance on data breach notifications.
Furthermore, a data breach likely to result in a high risk to the rights and freedoms of data subjects in general requires the company to communicate the breach to the data subjects concerned without undue delay. The need to communicate such information may also be triggered by a decision of the supervisory authority deeming a particular data breach to pose a high risk to natural persons.This notification regime also applies to outsourcing. If a company outsources data processing to a data processor, the company must make sure that it will be informed by the data processor immediately if any data breaches occur.
Documentation requirements: internal data breach register
Companies are obliged to document each incident in a way that comprises “the facts relating to the personal data breach, its effects and the remedial action taken”. This amounts to the establishment and maintenance of an internal data breach register. This register should include information concerning the nature of the breach and the supporting facts that were sent to the authority or the data subject affected. Furthermore, the register should include the measures taken after the breach (lessons learned). This documentation is also important given that a supervisory authority might wish to review the relevant register to verify compliance with the GDPR’s data breach notification regime.
Sanctions in the event of non-compliance
Failure to meet the above requirements may lead to administrative fines of up to EUR 10m or up to 2% of total worldwide annual turnover of the preceding financial year, whichever is higher. Given that the legal notions in the GDPR are currently still unclear, the clarifications by the EDPB will prove crucial to avoid any infringement of the notification obligation. In addition, the GDPR allows data subjects the right to bring legal proceedings before court if their rights have been infringed. This opens the door to individual compensation claims for mere distress as well as class actions, including those by pressure groups. As a consequence, litigation for data breaches may follow the example set in the United States, which frequently sees court proceedings for compensation after privacy and security breaches.
Recommendations
In line with the accountability principle laid down by the GDPR, companies should develop or update their internal data breach notification procedures. These should comprise incident identification systems as well as incident response plans, including descriptions of how security breaches are prevented and the process the company should follow in order to respond adequately to such incidents, for example. Such procedures should be regularly tested and reviewed. In addition, companies should make sure that existing data processing agreements oblige outsourcing service providers to proactively notify breaches. In a wider context, the obligations originating from the data breach notification also feed into the general obligation of privacy by design and privacy by default and thus tie in with technical and organizational measures, such as rendering data unintelligible in case of unauthorized access.
