Healthcare companies need to issue notifications when the personal information of GDPR data subjects is compromised, but what are the data breach reporting requirements under the GDPR?
The GDPR defines personal data as any data associated with an identified or identifiable data subject. This includes any information that can directly or indirectly identify a person.
In the GDPR Article 4, a personal data breach refers to a breach of security that causes unlawful or accidental destruction, alteration, loss, unauthorized exposure of, or access to, personal information transferred, stored or processed.
A data breach refers to the accessing of a system that contain personal information by an unauthorized person, the theft of a device containing electronic personal information, or loss of physical or digital data. Data corruption is likewise regarded as a breach of data as are incidents affecting the availability of personal information, such as a ransomware attack.
What are the requirements for GDPR Data Breach Reporting?
It is required for data controllers and data processors to have active procedures in place for detecting data breaches, investigating security incidents and reporting breaches internally and externally. If a data processor discovers a breach, the data controller should be notified immediately.
The GDPR requires an employee who discovers or suspects that there has been a data breach to report it quickly to the Data Protection Officer (DPO). If there’s no appointed DPO, the report can be submitted to the privacy officer or the security team.
The DPO is responsible for reporting a breach to the supervisory authority. If a company has not appointed a DPO, someone must be assigned the responsibility of breach reporting. That person will be the point of contact for the supervisory authority in case further information about the breach is required.
The timescale for data breach reporting under the GDPR is a lot stricter than HIPAA. HIPAA requires breach reports to be issued up to 60 days after the discovery of a breach. GDPR Article 33 states that the supervisory authority must be notified about a breach within 72 hours. All data breaches must be reported unless they are unlikely to cause a high risk to the data subject’s rights and freedoms. Because of the short time frame for reporting breaches under the GDPR, it is likely that the breached entity will not have enough time to investigate the incident thoroughly, so the breach report is unlikely to be complete. It is therefore possible to provide the supervisory authority with information in stages.
The information that must be included in the data breach report submitted to the supervisory authority are:
- A description of the data breach
- Categories of data subjects affected and an estimated number of people affected
- Categories and estimated number of affected data records
- Contact information of the Data Protection Officer or the contact person in the company if there is no appointed DPO
- A description of the probable consequences of the breach
- The steps being undertaken to resolve the breach and reduce its negative effects
In case the entity misses the 72-hour reporting deadline, the reason for the delay must be stated when the breach report is submitted. The data controller needs to keep a record of all data breach reports, including all the information above and details of actions undertaken to resolve the incidents and reduce harm.
When to send breach notifications to data subjects
It is not always necessary to send breach notifications to data subjects affected by breaches of personal data. It depends on the level of risk to the data subjects’ rights and freedoms. Therefore, a data breach risk analysis must be performed. If the risk is determined to be high, it is necessary to issue personal data breach notifications.
Data breach notifications should be written using clear language that a reasonable person could understand. The personal breach notifications should include the categories of data exposed and the same types of information as the notification to the supervisory authority.
Personal data breach notifications do not need to be sent to data subjects when any of the following conditions are satisfied:
- If the personal data was rendered inaccessible or unintelligible prior to the breach – using encryption for example
- If it is certain that there is no risk to the rights and freedoms of data subjects
- If the data breach notifications will require disproportionate effort. In such cases, a public communication such as a press release could be issued instead
The data controller may be required by the supervisory authority to issue breach notifications to data subjects even when the data controller sees no high risk to the data subjects’ rights and freedom.