Introduction
A key change to EU data protection law resulting from the GDPR was the requirement for personal data breach notifications. Under previous national data protection law in most member states this was not mandatory. Now, depending on the risks resulting from breaches, controllers may be obliged to notify their supervisory authorities and the affected data subjects.
Failure to meet these obligations to protect affected persons can have serious consequences to the controller. For example, in December 2020, Twitter was fined €450k by Ireland’s Data Protection Commission, because of its “failure to notify the breach on time to the DPC and a failure to adequately document the breach.”[1]
What is a personal data breach?
As defined in GDPR Article 4(12), a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
The key word there is “security”. A common misunderstanding is if a controller intentionally shares or processes too much personal data, that constitutes a data breach. It may well be an infringement of the GDPR data minimisation and/or purpose limitation principles. And it may result in sanctions against the controller. However, as it is not actuallya security incident, it does not meet the definition of a breach and therefore does not require breach notifications.
Another frequent misunderstanding is that a personal data breach is only a security incident resulting in an accidental or unlawful disclosure of personal data. This relates to the widespread misinterpretation of “privacy” and “data protection” being the same thing. They are not. As defined above, a breach also includes accidental or unlawful destruction, loss, or alteration of personal data.
For example, if a hospital patient’s medical records are accidentally destroyed, this is not per se a privacy incident. The patient’s confidentiality is unaffected. However, the worst case effect on the patient could be fatal.
Which personal data breaches must be notified and when?
Breach notification obligations on the controller
Not every personal data breach must be notified to your supervisory authority (SA). But the threshold is intentionally low. As the controller of personal data you must “notify the personal data breach …. unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” And, where feasible, the notification must be made not later than 72 hours after having your become aware of it. This is literally 72 hours – not, e.g., three working days.
The threshold for reporting data breaches directly to affected data subjects is higher. You must make such notifications if the breach “is likely to result in a high risk to the rights and freedoms of natural persons”. When making the notification, you must include the contact details of your DPO if applicable, or if not another contact point where affected individuals can request further details. You must also describe the likely consequences of the data breach and the measures taken or proposed to be taken by you to address the personal data breach, including, where appropriate, measures to mitigate possible adverse effects.
The main logic for a notification to a SA is that will re-assess the risk and, if it has a different view on it to you, it may recommend or order measures to contain the risk. This is also the rationale for the 72-hour deadline for notifications, so the SA’s re-assessment can be done “in an appropriate and timely manner” (Recital 85). So, regardless of how low you consider the risk impact severity to be, it must still be reported to your SA unless occurrence of the impact is unlikely.
It is also important to note that you must maintain your own internal documented records of breaches you experience, comprising the facts relating to the breaches, their effects and the remedial actions taken. These records must be provided on request to your SA, enabling it to verify your compliance with your GDPR Article 33 breach notification obligations. As noted above, Twitter’s failure to adequately document its breach was one of the grounds for its €450k fine.
Even if you conclude that a risk to individuals is unlikely and therefore a breach notification is unnecessary, you must still document the breach. If anything, it’s more important to internally document a breach that you do not notify. Then you have a record of the breach and the rationale for your risk assessment conclusion that a notification was unnecessary.
What if you’re a processor and not the controller of personal data affected by a breach?
If you are a processor of personal data on behalf of the controller, you do not make a breach notification to your SA or the affected individuals. You must notify the controller without undue delay after becoming aware of a personal data breach. You must do so regardless of how low you may consider the resulting risks to be. It is then the controller’s responsibility to make the risk assessment of the breach and decide if a notification to its SA and/or affected individuals is required.
Conclusions
Personal data breach notifications are a legal and ethical obligation. The main purpose is to identify and contain the resulting risks to affected individuals. Failure by an organisation meet its obligation could result in sanctions, fines, litigation, and loss of trust & reputation.
Unfortunately, there is still high variation in breach notification rates across EU member states, indicating that this legal and ethical obligation is not being consistently applied.[2]
Protect the people whose data you process and your own organisation by having adequate policies & procedures to recognise personal data breaches and, where necessary, make notifications.
[1] “Data Protection Commission announces decision in Twitter inquiry”, 15 December 2020.
[2] “DLA Piper GDPR fines and data breach survey: January 2022”