GDPR Data Breach Notification Rules
The General Data Protection Regulation (GDPR) will be in force starting May 25, 2018. Organizations need to know the changes that the GDPR made on rules regarding usage of personal data and issuance of data breach notifications.
Data controllers and data processors must use the necessary apparatus and methods to store and process information securely. There is no specific method required by the GDPR, however, Article 32 requires “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” A list of sample security measures is provided, which includes pseudonymization and encryption. There are also recommended procedures that ensure the confidentiality of data, quick restoration of access to data after a breach incident and regular testing of security measures. Proper documentation of security system and procedures is also important to prove compliance with the regulations. Without any proof of compliance to show might result to being labeled as non-compliant and penalized.
GDPR Article 4 defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Article 33 provides guidance regarding the proper notification response in case of a personal data breach. Data controllers are responsible for reporting the data breach to the appropriate agency within 72 hours of discovering the breach. Failure to report within 72 hours requires explanation to the authority. If a breach is determined to have low probability that a data subject (the person who owns the data) will have his rights of freedom affected, it is not required to report the breach within 72 hours.
There is no fixed deadline for notifying data subjects about a breach. But data controllers must issue the notification “without undue delay.” Data processors also need to notify the pertinent data controller upon discovery of a breach “without undue delay” because the data controller is still the one who will report the breach discovered by the processor to the authority. The list of elements below is required when notifying the authority. It’s all right if not all the above information is provided at once. But it must be provided when available without undue delay. Again, proper documentation is necessary for proof of compliance.
- the nature of the personal data
- the categories of data involved
- the estimated number of data subjects affected
- the estimated number of data records affected
- the name and contact information of the data protection officer
- a description of the potential consequences of the breach
- a description of the actions steps by the data controller to reduce the risks and prevent similar breaches from happening in the future
- Controllers must notify data subjects about a breach when there is high risk to the data subjects’ rights and freedoms.
There’s no need to issue a notification if
- the safety measure in place such as encryption would render the personal data unintelligible to the unauthorized person who accessed it
- the action steps implemented made the potential harm to individual rights and freedoms unlikely to occur
- notification would require “disproportionate effort” – in this case a more effective public information of the data subjects may be used
Notification to data subjects must provide the following information:
- the name and contact information of the data protection officer
- a description of the potential consequences of the breaches
- a description of the actions steps by the controller to reduce the risk and prevent similar breaches from happening in the future