What are GDPR’s rules on data breaches?
GDPR’s rules on processing personal data are designed to help keep it secure and minimize the risks of data being lost or stolen. However, even with the best security protocols, data breaches do sometimes happen. In these cases, GDPR has rules governing what you need to do next.
Data breaches include any access to, or destruction, loss, alteration or disclosure of personal data which is accidental, unauthorized or otherwise unlawful. In these cases, there are two main duties.
Duty to notify the supervisory authority
As discussed in our article on penalties, supervisory authorities are bodies set up by national governments to monitor and enforce data protection and security. You will usually deal with the supervisory authority of the EU country where you have your main establishment.
Key Point: When a data breach occurs, under Article 33 a data processor must inform the data controller without undue delay. The data controller must then report it to the supervisory authority without undue delay, and in any case within 72 hours of becoming aware. |
This report must include the following:
- The nature of the breach.
- The categories of personal data, the number of records, and the categories and number of data subjects affected.
- The name and contact details of the data protection officer or other point of contact regarding the breach.
- The likely consequences of the breach.
- The measures taken or proposed to mitigate the effects of the breach.
Where it is not possible to give all of the information immediately, it can be provided later, after the initial notification of the breach. All of this information must also be documented internally.
There is an exception to this duty where the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Note that this is a wider category than just the data subjects themselves, as the personal data may also include information on other individuals.
This exception is likely to apply to purely administrative errors which do not lead to unauthorized people getting access to the data, and which can be remedied in a timely fashion: for example, accidental deletion of data which can be restored from backup. Even in these cases the breach should be documented so that you can demonstrate if necessary that you were correct that the duty to notify did not apply.
Duty to notify data subjects
There is a second duty (under Article 34) in cases where a data breach occurs and is likely to cause “a high risk to the rights and freedoms of natural persons”. In these circumstances, as well as telling the supervisory authority, the data controller must also without undue delay inform the data subjects whose personal data has been (or may have been) affected.
This report must be in clear and plain language, and include at least the following information:
- The name and contact details of the data protection officer or other point of contact regarding the breach.
- The likely consequences of the breach.
- The measures taken or proposed to mitigate the effects of the breach.
There are a number of exceptions to this duty. The first is where the personal data has been properly protected, particularly through encryption or similar methods (although this is likely to mean that there is not a high risk in the first place). The second is where measures taken after the fact mean that there is no longer a high risk.
The third is where notification would involve disproportionate effort (for example, where contact details of data subjects are not stored). In these cases, a public communication or similar measure must be used to ensure that data subjects are in fact informed of the issue.
Whether there is a high risk is a matter of judgement for data controllers. It is likely to be the case wherever an external party has gained access to the data (unless it is encrypted or otherwise unintelligible). It is less likely to be the case where the breach is accidental or involves access which is unauthorized only in a technical sense (for example by employees or agents who have not followed procedures, where such access does not appear suspicious).
If in doubt, it should be possible to ask for the supervisory authority’s opinion when referring the matter to them. They also have the power to order data controllers to notify data subjects where they have not done so voluntarily.
Duty to mitigate the harm?
GDPR contains no explicit duty to take steps to mitigate the harm caused by a data breach. However, such a duty is implied throughout the Regulation:
- The requirement to take appropriate measures to ensure data security could be interpreted as including a duty to take steps after a breach.
- Both of the duties to notify discussed above require you to set out the steps taken or proposed to be taken to mitigate the harm caused by breaches.
- Action taken to mitigate the harm is a factor supervisory authority take into account when deciding whether to impose fines and what the level of fines should be.
Given this, it would be extremely unwise to rely on the lack of a clear duty. You should take all reasonable steps to reduce the harm caused by a breach at the same time as notifying the supervisory authority and the data subjects as required.
The relatively tight timescales and the emphasis on acting in a timely manner emphasize the importance of having workable procedures in place to deal with any data breaches which occur. It also requires good communication between data controllers and data processors. In the next article we will look at this relationship in more detail.
Get all 10 articles in our series about GDPR in our e-book for free by clicking the link below: