The new EU General Data Protection Regulation (GDPR) makes it mandatory for organisations to notify the EU member state’s Data Protection Supervisory Authority (DPA) and, in some cases, affected data subjects in the event of a personal data breach.
This specific GDPR requirement to notify makes it imperative for organisations to make sure they have effective incident reporting and investigation policies and procedures for personal data breaches that are understood and implemented by their staff.
The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
However, under the GDPR, notification is not required if a personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects. This means the organisation may have an opportunity to review, consider or argue the necessity of notifying a data breach, but, all this must be done within the 72 hour deadlines.
In order to comply with the data breach notification obligation, organisations that process personal data of EU citizens should ensure that they have appropriate and effective corporate incident management and investigation policies with clear internal procedures and guidelines on identifying and reporting security breaches and carrying out root cause analyses.
Under the GDPR, data controllers must notify the supervisory authority without delay and, where practicable, not later than 72 hours after having become aware of the incident. A personal data breach notification delay of more than 72 hours will have to be well justified.
The notification to the DPA should at the minimum contain the following information:
- A clear description of the nature of the personal data breach
- The number and categories of data subjects and personal data records affected
- Provider contact details of the organisation’s data protection officer
- A description of the consequences of the personal data breach to the affected data subjects
- Whether affected data subjects have been notified
- Remedial action or measures taken or to be taken by data controller to address and mitigate the impact(s) of the data breach.
If the information above is not available immediately within 72 hours, it may be provided after the data breach notification.
Data processors do not have an obligation to notify data breaches to the DPA but must notify the data controller immediately for the data controller to take the necessary actions.
The GDPR offers guidance on required security standards; data controllers are obliged to ensure that their data processors have sufficient guarantees of adequate and appropriate security safeguards to protect personal data and to protect the rights of data subjects.
Organisations will need to implement effective policies and procedures to comply with the GDPR data breach obligations. Staff must be made aware of the organisation’s procedures and processes and must be appropriately trained to ensure they are able to identify and report data breaches.
DPOs must be able to investigate data breaches and carry out a root cause analysis for each incident to ensure lessons are learned and recurrence of incidents is avoided.
For the organisation’s incident management policies and procedures to be effectively implemented, the organisation needs to develop a culture that encourages staff to report incidents. The whole incident management processes must be treated as a learning exercise rather than an exercise to apportion blame and liability for internal discipline.
The following are the key steps that organisations must make to ensure compliance with the GDPR data breach obligations;
- Develop or review the organisation’s incident management policies and procedures including incident response strategies and plans.
- Ensure policies and procedures are regularly monitored and regularly tested for effectiveness and appropriate technical and organisational security measures are implemented to protect personal data e.g. encryption or making data unintelligible in the event of a data breach.
- Review all supplier and data processor contracts and sharing agreements to require suppliers are obliged to immediately notify personal data breaches to the data controller.