First aid in case of data breaches

Suppose that your company is affected by a cyber-attack and hackers purchase your employees’ personal data, or that one of your employees loses a USB stick or laptop on which personal data are saved. Clearly, these are cases of personal data breaches, but what should you do? The advice of the Article 29 Data Protection Working Party (WP29) of 3 October 2017 now brings more clarity to the required steps to take.  

The GDPR obliges data controllers to notify a data breach when there is a risk to the rights and freedoms of natural persons. The data processors also have a role to play, since they must notify each breach to the data controller.

A distinction has to be made between the notification of a data breach to the supervisory authority and the notification of the breach to the data subjects

Notification of the  data breach to the supervisory authority

A data controller is not obliged to notify the data breach when there is no risk to the rights and freedoms of natural persons. This is the case when the loss of personal data would lead to identity theft or fraud, financial loss or reputation damage for example.

In case of such risk, the controller must without undue delay, and (where feasible) not later than 72 hours after having become aware of it, notify the breach to the supervisory authority. Where the notification is not possible within 72 hours, the notification must be accompanied by reasons for the delay.

72 hours after “having become aware”

According to the WP29, a controller “has become aware of a breach” when that controller has a reasonable degree of certainty that a security incident has occurred with personal data involved. This will vary from case to case, but if an incident occurs, it is important to investigate whether personal data have been breached, and if so, to take action and notify the breach if required.

For such an investigation, the controller should have internal processes in place to be able to detect and handle the breach.. Furthermore, the controller must keep documentation of all breaches.

Where a Data Protection Officer (DPO) is in place, this DPO acts as a contact point for the supervisory authority and the data subjects.

When the data breach contains a high risk to the rights and freedoms of natural persons, the controller must also communicate the breach to the affected data subjects. The controllers can seek advice from the supervisory authority to know whether the data subjects have to be informed or not.

Notification of the personal data breach to the data subjects without undue delay

The data controller should notify the data breach to the affected individual without undue delay when the breach is likely to result in a high risk to the individual’s rights and freedoms. To assess this, the data controller should take into account the specific circumstances. When for example medical records come into the hands of unauthorised parties, the risk to the rights and freedoms of the data subject will be higher than if the medical records have simply been lost. 

When there is a high risk to the rights and freedoms of the data subject, the breach must be notified to the data subject. The notification must mention both the nature of the breach, and measures to mitigate the possible adverse effects (for example by changing the individual’s password). 

In principle, the affected subjects should be notified individually, unless doing so would be disproportionate. In such case, the affected individuals may be informed by a public communication, for example by a prominent website banner, a newsletter or a general e-mail. It is most important that as many data subjects as possible are reached and that the communication is in clear language.

Administrative fine

If a breach is not notified (to the supervisory or to the data subjects), this may lead to an administrative fine of EUR 10,000,000 or 2% of the employer’s total worldwide annual turnover in the foregoing financial year, whichever is the greater.

> Action point

Develop a plan to detect and handle data breaches, to determine the risk for natural persons and to notify the breach to the affected individuals if required. The notification to the supervisory authority must also be a part of this plan.

Preparation

Develop an action plan to:

  • Detect and handle data breaches;
  • Determine the risk for the data subjects;
  • Notify the breach to the supervisory authority and to the data subjects, if required. 

You identify a safety incident or you have been informed of a safety incident and take note of a breach of personal data

Step 1: Check if the breach can result in a risk to the rights and freedoms of the data subjects (identity theft or -fraud, reputational damage...)  

  • No? No requirement to notify the supervisory authority / the data subjects
  • Yes? You shall notify the supervisory authority within 72 hours after having become aware   

Step 2: Check if the breach result in a high risk to the rights and freedoms of the data subjects

  • No? No requirement to notify the data subjects
  • Yes? You must notify the breach to the affected data subjects and inform them about the measures they can take to mitigate the damage.

Step 3: Document all data breaches (including facts, consequences and adopted corrective measures).