0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

data breach notification under the GDPR: issues to consider

23 March 2016
Helena Wootton and Lauren Millward explain potentially-wide ranging practical implications for data controllers and processors.
 
When the EU General Data Protection Regulation (GDPR) enters into force, it will change the way that data controllers and data processors deal with data breach notifications. Under the current law there are no obligations on data processors to notify data breaches. ICO guidance on notification of data breaches does not extend to requiring voluntary notification by data processors.

What does the GDPR say?

Article 31 of the GDPR provides that “in the case of a personal data breach1, data controllers shall without undue delay” and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority unless the personal data breach is “unlikely to result in a risk for the rights and freedoms of individuals”.

If a notification is not made within 72 hours of the data breach, the data controller must give a ‘reasoned justification’ explaining the reason for the delay. Additional obligations are also imposed on data processors to notify the data controller after becoming aware of a personal data breach
2. The data controller is also required to record any personal data breaches and any actions that the data controller has taken in respect of that.

Under Article 32, where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller is required to communicate the nature of the personal data breach together with the information set out above, in clear and plain language, to the data subject concerned, without undue delay. There are however some circumstances when the notification to the data subject is not required, including:
  1. The controller has implemented appropriate technical and organisational protection measures in respect of the personal data affected by the breach (such as encryption).
  2. The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to arise.
  3. It would involve disproportionate effort.
In addition, article 31 paragraph 2 provides that the processor shall notify the controller without undue delay after becoming aware of a personal data breach.

Uncertainties

There are a number of uncertainties with the definition and wording as drafted. Unfortunately, data breach notification is not identified as one of the specific areas on which the EU Article 29 DP working Party will be issuing guidance for controllers and processors in 2016, so we will need to wait for specific advice.

The definition of ‘personal data breach’ means that an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data must result from a breach of security. The issue of causation may be raised by data controllers and processors.

All notifications, by processors or controllers must be undertaken without “undue delay”, after having become aware of the breach. It is unclear what would be deemed to be ‘undue delay’ and who would be responsible for managing and governing that. For controllers, a long stop of 72 hours is set out although note that notification can still happen after 72 hours provided the controller gives reasoned justification explaining why the delay occurred. Despite that, it is not clear what would be an appropriate justification and when the delay may be deemed to be ‘undue’.

In particular, it would be useful to have more guidance on how this fits in with the other obligations on controllers to manage data breaches. Would a delay be ‘undue’ if it was as a result of the controller focussing all its efforts and resources on containing and resolving the breach before notifying the ICO? Many controllers would hope and expect that that would not be the case, however guidance would be helpful. Criticism includes that data controllers may not have sufficient information about the nature of breach, the scope and it may be ongoing.

When deciding whether a data breach needs to be reported, a data controller must consider whether there is a “risk for the rights and freedoms of individuals”. If there is deemed to be no such risk, even though a data breach has occurred then there is no obligation to notify under article 31. If, however, the risk is high, then the controller must also notify the individual concerned under article 32.

There is no guidance on how the ‘risk to the rights and freedoms of data subjects’ is to be determined. Unless guidance is given on this issue, this could be interpreted and applied in a different way by different controllers leading to inconsistency of reporting across different organisations3. What is a ‘risk’ in one context may not be a risk in another.

Whether there is such a risk is also likely to vary depending on the type of data that is the subject of the breach and the type of breach that has occurred. A breach that discloses an individual’s health or financial information may be likely to have a significantly higher risk to the rights and freedoms of a data subject than a breach that leads to disclosure of customer names with no further information about the individuals.

Article 32 states that notification to individual data subjects about the breach is not required if it would involve “disproportionate effort”. It is not clear what would be considered to be ‘disproportionate’ and who would be responsible for making that assessment. Note that a public notice or similar would be required to communicate the breach in those circumstances. It is also not clear what this needs to be balanced against – is the bar for whether effort required to notify data subjects is disproportionate set at a higher level for data breaches that present a higher risk to data subjects.

The new principle of accountability requires the data controller to be responsible for and to be able to “demonstrate” and “evidence” compliance with the Data Protection Principles. we would hope that, in line with accountability, if organisations are able to evidence that they have clearly considered whether a notification needs to be made (considering the rights and freedoms of data subject) and whether each of the exclusions set out in the GDPR apply before making a decision, that this would be sufficient to comply with the legislation.

The ICO issued guidance in 2012 on the meaning of ‘disproportionate effort’ for data controllers when dealing with subject access requests. In that guidance, the ICO indicated that data controllers cannot refuse to comply with a subject access request merely because it would be costly and time- consuming to do so. The guidance is that controllers should make extensive efforts to locate personal data, although they are not obliged to leave no stone unturned. Although not directly relevant to data breach notification, previous guidance given on interpretation of this provision in respect of subject access requests may be relevant in determining how it will be interpreted in relation to data breaches.

In particular, considering how a notification will need to be made, it is difficult to envisage a scenario when that notification in itself, which may be achieved by sending a message to customers, issuing a press release or including wording on a website, would be disproportionate.

The GDPR enables data controllers to avoid several obligations where ‘disproportionate effort’ is required, including the requirement to provide information (Article 14) and notification of rectification or erasure (Article 17).

How does this differ from the current law in the UK?

The privacy and Electronic Communications Regulations (PECR): Under the current law, there are obligations on communications service providers to give notification of personal data breaches to the ICO within 24 hours of becoming aware of the breach of PECR. Organisations must also consider whether to notify customers and there is an existing requirement to record details of security breaches in a breach log. We assume that when the GDPR comes into force, the two systems for data breach notification will continue to co-exist until such time as the review of the e-Privacy Directive is complete – two systems of report could get complicated! 

The Network and Information Security (NIS) Directive: The network and Information Security Directive (once finalised) is also likely to contain a requirement that operators of essential services and digital service providers subject to the Directive put in place appropriate security measures to protect networks and data to report serious cyber incidents. Those breach notification requirements extend beyond the requirements of the GDPR as the NIS sets out that notification is required to the competent authorities whenever there is a ‘substantial impact on the provision of the operator’s service’. It seems likely that those notification requirements will also need to co-exist with the notification requirements under the GDPR. Guidance on how that will happen in practice would be welcome. With more than one system of reporting, it could be complex for those providers who are subject to both regimes.

Data Protection Act: Despite the fact that there are no express legal obligations on data controllers in the DP Act to report data breaches, ICO guidance on how to interpret the seventh principle of the Data Protection Act 1998 indicates that serious breaches should be reported and that data controllers should consider whether to notify data subjects, the ICO or other regulatory bodies, as part of the management of a data breach. In particular, the ICO indicates that it expects ‘serious data breaches’ to be brought to its attention. ‘Serious data breach’ is not defined however. The guidance suggests that organisations should take into account factors such as the potential detriment to data subjects and the volume and sensitivity of the data lost when making that assessment.

In the absence of EU Article 29 DP working Party guidance (which will be binding following implementation of the GDPR) the current ICO guidance may be helpful in interpreting some of the uncertainties in the GDPR. But in the end, there may be little difference in how organisations will determine when to notify in practice. Although there will be an administrative burden on controllers to comply with the legislation as a result of this change, arguably this is no more than under the current guidance from the ICO which suggests that data controllers should give notification in order to avoid adverse effects when it comes to enforcement. The main implication is that a failure may result in a fine being imposed.

The current law does not, of course, place any obligations on data processors and so the new obligations on data processors to give notification to data controllers in the GDPR are a significant change. In practice, however, data controllers have often placed contractual obligations on data processors to give such notification suggesting that, for many data processors, the changes in the GDPR will not change how they deal with data breaches. That is, of course, not the case in respect of all data processors and so these obligations will represent a significant change for many.

Practical implications

Throughout the GDPR we see increased burdens on data controllers to implement measures to manage the personal data that they process. The new ‘accountability’ principle in the GDPR requires data controllers to ‘demonstrate’ and ‘evidence’ that compliance means that organisations, whether data controllers or data processors, should therefore ensure that they develop clear internal policies and procedures for determining when a breach has taken place and how to manage that breach or give notification where required. Organisations should ensure that their internal policies include guidance for relevant individuals in the business for determining when and in what circumstances to report.

Large organisations, in particular, will need to have in place clear lines of responsibility to ensure that data breaches within the organisation itself are identified and dealt with appropriately internally. we will need to ensure that when a report comes in from a data processor (of which a single organisation might engage many) that the controller is able to act on that report and make the necessary notification on to the ICO and or data subjects as may be required, in particular, without undue delay.

These new provisions clearly place administrative burdens on organisations, whether that organisation is a data controller or data processor. Data controllers will also need to ensure they have the correct procedures in place to receive those reports and to act on them.

Unless the uncertainties mentioned above are resolved before the GDPR comes into force, in particular around the threshold of reporting, how to assess whether there is a ‘risk’ or a ‘high risk’ to the rights and freedoms of data subjects, then it is likely that organisations will ‘over report’ in the event of uncertainty to avoid being in breach of the legislation (and therefore potentially subject to the high fines under the GDPR). The ICO will need to ensure that it has the ability and the capacity to deal with that.

More guidance required

Although the ICO guidance advising controllers to notify under the current law is likely to be useful to some extent, there are still many uncertainties in the GDPR notification requirements which should ideally be resolved before notification becomes a legal requirement.

At the moment, data breaches are significant news and examples of data breaches are increasingly making head- lines. There is a risk that once data breach notification is a legal requirement, individuals become desensitised to such breaches. If data breach notifications occur every day, they will no longer make the headlines. The inevitable result will be that we ignore a breach when it happens and become less protective of our personal data as a result. We may end up being paralysed, feeling a lack of control and then blind to the inevitability of a breach. Ironing out the uncertainties through guidance will help data controllers feel clear about when a notification is required.

1 Personal Data Breach’ is defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed”.

2 The notification given is required to at least: Describe the nature of the breach; provide the name/ contact details of the organisation’s data protection officer; describe the likely consequences of the breach; describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects. 

3 The Article 29 Working Party’s action plan for 2016 confirms that that it will be providing the guidance on the ‘Notion of high risk, and Data Protection Impact Assessment’. Although it is not clear at this stage whether that guidance will extend to the notion of ‘high risk’ in respect of data breach notification, it can be inferred that this guidance will presumably be relevant in assisting with interpretation of the uncertainties in respect of this issue.

focus on...

Judicial thinking on data protection - hear from Matthew Alderton on recent case law

Since the GDPR and Data Protection Act 2018 came into force, Matthew takes a look at recent case law on some important and novel data protection issues.

View

Hear from Richard Nicholas on the recent changes in contract law

There have been some significant Supreme Court decisions that have changed UK contract law.

View

Legal updates

Avoiding IT disputes – top 10 tips

Information technology has become a huge part of our daily lives and the success of businesses and organisations is often critically dependent on IT systems, projects and processes.

View

Legal updates

Changes to Tier 1- Introducing the New ‘Innovator’ and ‘Start-up' visas

The Home Office recently announced substantial changes to Tier 1 of the PBS.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up



Select which mailings you would like to receive from us.

Sign up