With the final approval of the EU-U.S. Data Privacy Framework, data can once again flow across the Atlantic. Learn more about the new rules at TrueVault.
GDPR’s rules on processing personal data are designed to help keep it secure and minimize the risks of data being lost or stolen. However, even with the best security protocols, data breaches do sometimes happen. In these cases, GDPR has rules governing what you need to do next.
Data breaches include any access to, or destruction, loss, alteration or disclosure of personal data which is accidental, unauthorized or otherwise unlawful. In these cases, there are two main duties.
As discussed in our article on penalties, supervisory authorities are bodies set up by national governments to monitor and enforce data protection and security. You will usually deal with the supervisory authority of the EU country where you have your main establishment.
Key Point: When a data breach occurs, under Article 33 a data processor must inform the data controller without undue delay. The data controller must then report it to the supervisory authority without undue delay, and in any case within 72 hours of becoming aware.
This report must include the following:
Where it is not possible to give all of the information immediately, it can be provided later, after the initial notification of the breach. All of this information must also be documented internally.
There is an exception to this duty where the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Note that this is a wider category than just the data subjects themselves, as the personal data may also include information on other individuals.
This exception is likely to apply to purely administrative errors which do not lead to unauthorized people getting access to the data, and which can be remedied in a timely fashion: for example, accidental deletion of data which can be restored from backup. Even in these cases the breach should be documented so that you can demonstrate if necessary that you were correct that the duty to notify did not apply.
There is a second duty (under Article 34) in cases where a data breach occurs and is likely to cause “a high risk to the rights and freedoms of natural persons”. In these circumstances, as well as telling the supervisory authority, the data controller must also without undue delay inform the data subjects whose personal data has been (or may have been) affected.
This report must be in clear and plain language, and include at least the following information:
There are a number of exceptions to this duty. The first is where the personal data has been properly protected, particularly through encryption or similar methods (although this is likely to mean that there is not a high risk in the first place). The second is where measures taken after the fact mean that there is no longer a high risk.
The third is where notification would involve disproportionate effort (for example, where contact details of data subjects are not stored). In these cases, a public communication or similar measure must be used to ensure that data subjects are in fact informed of the issue.
Whether there is a high risk is a matter of judgement for data controllers. It is likely to be the case wherever an external party has gained access to the data (unless it is encrypted or otherwise unintelligible). It is less likely to be the case where the breach is accidental or involves access which is unauthorized only in a technical sense (for example by employees or agents who have not followed procedures, where such access does not appear suspicious).
If in doubt, it should be possible to ask for the supervisory authority’s opinion when referring the matter to them. They also have the power to order data controllers to notify data subjects where they have not done so voluntarily.
GDPR contains no explicit duty to take steps to mitigate the harm caused by a data breach. However, such a duty is implied throughout the Regulation:
Given this, it would be extremely unwise to rely on the lack of a clear duty. You should take all reasonable steps to reduce the harm caused by a breach at the same time as notifying the supervisory authority and the data subjects as required.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.