The General Data Protection Regulation (“GDPR”) is a broad set of regulations in the European Union (“EU”) that protects the personal data of its residents. Under the GDPR, if an organization has a data breach, it must notify a regulatory authority and the affected individuals. In this guide, we will answer:
- Who must report data breaches under the GDPR: General Data Protection Regulation?
- What are the breach notification requirements under the GDPR?
Table of Contents
Who must report data breaches under the GDPR: General Data Protection Regulation?
The GDPR’s data breach notification law applies to organizations that are processors and controllers of personal data. A processor “processes personal data on behalf of a controller.” A controller “determines the purposes and means of the processing of personal data.” These organizations can be:
- A natural or legal person
- A public authority
- An agency or other body
The GDPR’s definition of “personal data” includes any information that relates to an identified or identifiable natural person, which is called a “data subject.” An identifiable natural person is someone “who can be identified, either directly or indirectly, in particular by reference to an identifier.” An identifier includes:
- A name
- An identification number
- Location data
- An online identifier
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person
The GDPR states that personal data includes “any information,” so a court may interpret the term broadly. Case law from the European Court of Justice considers less explicit information to be personal data, such as an IP address.
What are the breach notification requirements under the GDPR?
The GDPR requires controllers and processors to keep personal data secure. Additionally, the GDPR provides data breach notification requirements. The failure to report a breach to a supervisory authority or a data subject could lead to sanctions under Article 83.
Article 32 requires controllers and processors to implement technical and organizational measures that “ensure a level of security appropriate to the risk.” The measures may include:
- Encryption methods – the pseudonymization and encryption of personal data.
- Data assurance – the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- Data backups – the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- Vulnerability assessments – a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
If a controller or its processor has a personal data breach, the law requires the controller to notify:
- A supervisory authority
- The data subjects affected by the breach
Under the GDPR, a “personal data breach” means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The definition of a breach is not limited to incidents that involve unauthorized access by a hacker. For example, a breach can be an accident, such as an unauthorized disclosure by an employee who accidentally forwards an email with someone’s personal data.
Notification to a Supervisor Authority
Article 33 requires a controller to report a personal data breach to a supervisory authority. If a controller has a personal data breach or is notified by a processor of a breach, the controller must take immediate steps “without undue delay” as required by the GDPR.
Once a controller becomes aware of a breach, it has up to 72 hours “where feasible” to notify the supervisory authority. If a processor has a breach, it must notify the controller “without undue delay after becoming aware of a personal data breach.”
If a controller cannot provide all of the information about the breach at the same time, the controller may provide the information “in phases without undue further delay.” The controller must document the breach with all the facts relating to:
- The personal data breach
- The effects of the breach
- The remedial action taken
Article 33(3) provides a list of documentation requirements. The notification to the supervisory authority must:
- Describe the nature of the personal data breach including where possible:
- The categories and approximate number of data subjects concerned, and
- The categories and approximate number of personal data records concerned;
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- Describe the likely consequences of the personal data breach;
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The required documentation enables the supervisory authority to verify compliance with the law. A supervisory authority’s focus when reviewing the documentation is to protect the data subjects and their personal data.
Each member state of the EU must provide one or more independent public authorities that are responsible for monitoring the application of the GDPR. Under Article 51, a supervisory authority is an independent public authority that protects “the fundamental rights and freedoms of natural persons in relation to the processing and to facilitate the free flow of personal data” within the EU. The supervisory authority must be “competent” under Article 55, which requires that it has the power and ability to supervise the notification process.
The Article 29 Data Protection Working Party (“WP29”) published guidelines for data breach notification requirements. The WP29 guidelines explain the advantages of notifying a supervisory authority about a data breach. As a benefit, controllers can obtain advice from the supervisory authority on whether the affected individuals need to be informed about the breach. Also, if the supervisory authority orders the controller to inform the individuals, the controller can provide information to the individuals about the risks from the breach with guidance to protect themselves.
Article 33 requires a controller to notify a supervisory authority “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” This allows a controller to conduct a risk of harm analysis.The WP29 guidelines explain that “the more sensitive the data, the higher the risk of harm will be to the people affected.” Further, “consideration should also be given to other personal data that may already be available about the data subject.”
According to the WP29 guidelines, the exposure of certain identifying data can cause harm on its own. This includes:
- Health records
- Financial accounts
- Identity documents
A combination of personal data carries more risk of causing substantial damage to a data subject. As a result, a person is more vulnerable to becoming a victim of identity theft when identifying information is combined together.
Notification to a Data Subject
Article 34 requires notification to data subjects of a personal data breach when it “is likely to result in a high risk to the rights and freedoms of natural persons.” If there is a high risk, the controller must “communicate the personal data breach to the data subject without undue delay.” A communication to the data subject must:
- Use clear and plain language
- Describe the nature of the personal data breach
- Contain at least the information and measures referred to in Article 33(3), sections (b), (c) and (d), as follows:
- The name and contact details of the data protection officer or other contact point where more information can be obtained;
- The likely consequences of the personal data breach;
- The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The GDPR has three conditions that exempt a controller from the requirement to send a notification. A communication is not required to the data subject if any of the following conditions are met:
- Encrypted data – the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
- No risk of harm – the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
- Public notice – notice to data subjects would involve disproportionate effort. In such a case, data subjects can be informed in an equally effective manner by a public communication or similar measure.
The first condition offers a safe harbor for encrypted data. If the controller encrypted the data before the breach, it does not have to notify the data subjects.
The second condition involves a risk of harm analysis. This analysis considers the severity of the risks to a data subject. If the controller takes measures after the breach to ensure there is no risk to the data subjects, the controller does not have to notify them.
The third condition allows the use of substitute notification. This happens when a public notice is more efficient than sending individual notifications to data subjects.