As we have seen already in this GDPR blog series, the new regulation is pioneering in terms of how it seeks to harmonise attitudes towards data privacy and protection. Article 33 of the GDPR, ‘Notification of a personal data breach to the supervisory authority,’ reads as follows:
“The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons…”
But what does this actually mean? What constitutes as “undue delay?” Who determines whether a breach is likely to “result in a risk to the rights and freedoms of natural persons?” And what does that even mean?!
Before we get into that, let’s start with some background of breach notification legislation.
The game-changer: California
The state of California was the true pioneer of mandatory personal data breach notification when they enacted legislation in 2002. Under their legislation, any business or state entity was legally obliged to notify any resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorised person. Gone were the days of being able to cover up data breaches; instead full notification was required, both to affected individuals and to regulators. With regulators paying more attention to these data breaches, so did the public. A culture of scrutiny ensued, and the readiness to litigate swiftly followed, resulting in the proliferation of class action suits.
Did this scrutiny cross the pond?
Well, no… Or at least, not immediately. The current governing law with regards to data privacy and protection in Europe is the ‘European Data Protection Directive (95/46/EC).’ This directive does not contain obligations to notifying parties of a personal data breach, aside from the occasional member-state having implied obligations of data breach disclosure through regulatory guidance. Also, the last amendment of the directive applied some obligations on ‘providers of publicly available electronic communication services’ to notify authorities and affected individuals. However, there is no real consistency for data breach notification in terms of approach, regulation or implementation across Europe or its industries.
The GDPR, coming into effect on 25th May 2018, changes this and introduces a much more onerous and far-reaching regime with respect to breach notification. Here are the key factors:
Who and when to notify under the GDPR
The data controller must notify the supervisory authority (i.e. the national data protection authority) without undue delay and certainly within 72 hours of becoming aware of a breach, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
Let’s unpack this…
- Firstly, a breach notification to the supervisory authority must “at least”:
- Describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected;
- Provide the data protection officer’s contact information;
- “Describe the likely consequences of the personal data breach”; and
- Describe how the controller proposes to address the breach, including any mitigation efforts. If all information is not available at once, it may be provided in phases.
- “Undue delay.” There has not been any formal guidance of what will class as undue delay, but it is fair to say that this will be determined by case law. If notification is not made within the 72 hours, then the controller must provide a “reasoned justification” for the delay.
- “Risk to the rights and freedoms of natural persons.” A real phrase for the lawyers to sink their teeth into. I can imagine a huge amount of debate into the necessity of notification here, and perhaps this is a little bit weak of the GDPR. Notification to data subjects will not be required if:
- A data controller has implemented appropriate security measures that render the personal data un-intelligible to any unauthorised person (e.g. if it is encrypted);
- The data controller has taken subsequent measures to ensure the risk to the rights and freedoms of natural persons does not materialise; or
- It would involve disproportionate effort, in which case a public communication will suffice.
- If there is a risk to the rights and freedoms of natural persons, then the breached entity must also notify individuals without undue delay.
It’s important that all entities have both the understanding of these requirements, and also the appropriate access to legal counsel for guidance through their obligations under the GDPR breach notification guidelines; especially in the early stages, where case law will likely set a lot of procedural precedents.
Ramifications for failing to comply
As we will discuss further in our tenth entry in this blog series (‘Enforcement’ – due in February), under the GDPR, regulators will possess the ability to seriously punish entities who fail to comply with the GDPR; with civil monetary penalties of up to €20m or 4% of global annual turnover; whichever is higher. Furthermore, the GDPR includes an explicit statutory ability for affected data subjects (or ‘natural persons’) to claim compensation and join class actions (even for distress alone).
Survival of the most-prepared
The breach notification requirements of the GDPR will require significant preparation from organisations, across all territories (see blog post 2 on the territorial scope of the GDPR!), of all sizes and in all industries. It is widely thought that the vast majority of organisations are under-prepared at the moment, which is especially terrifying considering the impending ‘day zero’ in May 2018.
Once an organisation has discovered that they have had a data breach, they are going to have to act extremely quickly, especially as experienced lawyers in the space will attest to the fact that they first 24-48 hours after the discovery of a breach is very unproductive. Candidly, organisations cannot afford to be unprepared come May. Upon discovery of a breach, each organisation will have to:
- Identify and resolve the point of failure or attack vector;
- Gather information relating to the factual, technical and legal background to the data breach;
- Notify the data protection authority and to other sector-specific regulators (such as the Financial Conduct Authority and Prudential Regulation Authority) as necessary; and,
- Notify all affected data subjects.
Each of these points, both independently and in combination, represent a potential minefield of issues that could have catastrophic ramifications for organisations.
The importance of cyber insurance has never been so apparent. The coverage provides organisations with access to specialist forensic, IT and fraud consultants to help manage and mitigate the breach, and access to specialist legal counsel who handle the regulatory management of the breach, including notifying both the data protection authorities and data subjects. Lastly, the coverage provided for reputational damage can help protect the organisation in the post-breach era. Whilst internal processes and procedures need to be updated to ensure compliance in the day-to-day operation of the organisation, insurance coverage should be used to help protect against the inevitability of a data breach.