What happens after a data breach?
If your company aligns its data processing activities with the principles of privacy by design, the likelihood of a data breach happening is less than if you don’t adhere to these principles. However, in the event a data breach does occur, the penalties under the General Data Protection Regulation (GDPR or “The Regulation”) are harsh. In this fourth blog, we unpack the consequences facing businesses that experience a data breach.
Data breaches include any access to, or destruction, loss, alteration or disclosure of personal data which is accidental, unauthorized or otherwise unlawful. If a breach of personal data does occur, a business has two urgent duties under GDPR:
- Duty to notify supervisory authority
- Duty to notify data subjects
- Alerting the supervisory authority
Supervisory authorities are bodies set up by national governments within the EU to monitor and enforce data protection and security.
Article 33 of the Regulation outlines the cascade of reporting that must occur after a data breach. First, the data processor notifies the data controller. Next, the data controller notifies the supervisory authority. Notifying the supervisory authority must occur within 72 hours of becoming aware of the data breach.
This report must include the following:
- The nature of the breach.
- The categories of personal data, the number of records, and the categories and number of data subjects affected.
- The name and contact details of the data protection officer or other point of contact.
- The likely consequences of the breach.
- The measures taken or proposed to mitigate the effects of the breach.
The report can be updated as this information is processed within the 72 hour reporting window. Documentation is key to staying compliant with GDPR, so it’s important that the entire reporting process is documented internally.
There are some exceptions to this rule such as where the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. We believe this exception likely applies to purely administrative errors that do not lead to unauthorized people getting access to the data, and can be easily fixed: for example, accidentally deleting data which can be restored from backup. Even in the case of administrative error, the process ought to be documented clearly for the data controller and/or supervisory authority.
Alerting the data subjects
The disclosure obligation continues in cases where a data breach occurs and is likely to cause “a high risk to the rights and freedoms of natural persons”. Under Article 34, the reporting cascade continues on to include the data subjects who have been affected or may be affected by the breach.
This report must be in clear and plain language, and include at least the following information:
- The name and contact details of the data protection officer or other point of contact regarding the breach.
- The likely consequences of the breach.
- The measures taken or proposed to mitigate the effects of the breach.
There are a few exceptions to this process. First, if the data subject’s personal data was properly encrypted or de-identified. But, in this scenario, there likely wasn’t high risk in the first place. Second, if measures taken after the fact mean there is not a high risk. Third, where notification involves disproportionate effort (i.e., if the contact information of the data subjects is not available). In lieu of direct notification, a public statement must be issued alerting the public to the data breach.
The data controller will determine the degree of risk borne of the data breach, and whether the supervisory authority ought to be notified.
What are the penalties for a data breach?
If a company is found to be in violation of GDPR, it will face a bevy of serious fines. The penalties for a data breach ought to be “effective, proportionate and dissuasive for each individual case”.
In cases of severe data breaches, the fines can be up to €20 million or up to 4% of global annual turnover from the fiscal year, whichever number is higher, per Article 83(5). In less severe cases, the fines can total €10 million or 2% global annual turnover from the fiscal year.
The Facebook Debacle
The first high-profile data breach in a post-GDPR world happened at Facebook. In September 2018, Facebook announced that 50 million accounts were impacted by a bug that revealed the personal data of their users. This number has since been reduced to 30 million users, but the Data Protection Commission in Ireland filed a class action lawsuit claiming the technology company failed to properly secure its users' data. It is projected that, of the original estimates of 50 million total impacted, roughly 5 million of these users reside in the EU.
Facebook could be looking at fines of more than $1 billion under GDPR per their revenue in the last fiscal year, though how the fines are assessed is at the discretion of the relevant authorities.
Since then, other high profile data breaches have followed, like the Starwood-Marriott data breach, which, if the supervisory authority determines is within the scope of GDPR, could cost the hotel chain up to $8.8 billion in fines.
Still have questions about GDPR? Download our GDPR Guide to learn more about the Regulation.