Notifiable Data Breaches and the Intricacies of Breach Reporting
Security incidents may vary from minor technical anomalies to those that warrant a more serious approach. Where a security incident involves the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, it crosses into the territory of personal data breaches (“data breaches”). In other words, although these concepts are intertwined, a security incident is better understood as an event or vulnerability that may give rise to a data breach.
When does a data breach need to be reported?
Under the GDPR, when a data breach occurs, controllers should ordinarily notify the relevant data protection authority (“DPA”) and data subjects. Or neither. Decisions on whether to notify should result from a careful assessment of the likelihood of risk the data breach poses to the rights and freedoms of affected data subjects. That is, even if data subjects are affected by default, what ultimately determines whether a data breach is notifiable is the impact it has on their rights and freedoms.
What happens when the threshold isn’t met
If a data breach doesn’t meet the notification threshold, what follows is rather simple. Controllers have an obligation to document the data breach, more specifically, what occurred, its effects and the remedial actions taken, including the reasons for not notifying. Documenting this is not merely a legal obligation; it effectively assists you in demonstrating accountability before DPAs in the event that they reach out for information or if a data subject submits a complaint.
Data Breach Policy and Incident Response Plan
Dealing with data breaches may seem daunting; however, a clear and structured approach can make the process far more manageable. Having a Data Breach Policy or Incident Response Plan is a good starting point. In practice, once you’ve taken the necessary steps to contain and minimise the effects of the data breach to the best of your abilities, you should make an assessment to determine the effects and further remediation steps. Having written reporting procedures in place helps you understand exactly when a data breach should be reported.
Getting the reporting threshold right
If an assessment makes it unclear whether notification is necessary, but a commonsense understanding of the circumstances points toward reporting, notifying the relevant DPA is the recommended course of action, so as to avoid the risk of non-compliance. However, erring on the side of caution doesn’t necessarily mean that you should report everything to only demonstrate that a report was made; DPAs handle a vast number of data breaches, and overreporting is generally not considered a good practice because it diverts attention and resources away from data breaches that require special attention.
For instance, if a doctor accidentally sends an appointment reminder to the wrong patient containing another patient’s name and relevant date of appointment, they may decide to report the data breach even though the disclosed personal data is minimal, non-sensitive and likely poses no realistic risk to the rights and freedoms of the data subject. Although this should be determined on a case-by-case basis, if every hospital, clinic or healthcare provider reported this regularly, DPAs would be overwhelmed with handling low-risk notifications. On the other hand, if patients’ diagnosis records are disclosed, this is something that would fall under the regular reporting threshold as it led to the exposure of patients’ sensitive health and medical information.
How to submit a notification
Notwithstanding, DPAs have made efforts to simplify breach reporting by offering online forms that are designed intelligently to guide you towards appropriate conclusions, that is, whether notification is required or not. Although most DPAs have online forms, some still rely on traditional document reporting. More information on how to reach each DPA is available here.
Multi-jurisdiction reporting
On another note, considering personal data processing often spans across several jurisdictions, so does breach reporting. Once you’ve determined a data breach is notifiable, you should also determine which DPA should be notified. The GDPR offers a one-stop-shop mechanism, but only if a company has its main establishment in the EU (or UK, in the case of the UK GDPR), as defined in Article 4(16). The rule is quite simple: if you have a main establishment in an EU Member State, then you should notify your lead DPA in that Member State. The lead DPA then notifies and cooperates with other relevant DPAs. However, if you do not have a main establishment in the EU, you should notify each DPA based on where affected data subjects are located. Determining this beforehand can prove helpful as reporting to several DPAs is operationally more challenging within the same statutory deadline of 72 hours.
When the reporting deadline starts
Another important consideration is the difference between when a data breach occurred and when you have become aware of it. This significantly affects the reporting process, as statutory deadlines are tied to discovery, meaning, the clock starts at the awareness date. Note that both dates should be reported, while a significant gap between them may signal vulnerabilities in your technical and organisational measures. For instance, if a data breach occurred months before you discovered it, DPAs would likely investigate why it took so long to detect.
In terms of what you need to include in your notification, most DPAs follow legal requirements and ask for similar information, but some may be more detailed than others. For example, some may ask for details on your company size and number of employees; others may require more specific information on how the data breach occurred, exact time and date, reasons for any reporting delays and so on. Some DPAs may also require your assessment of the severity of the breach. Ideally, whoever handles or assists in data breach reporting should have a solid understanding of three things: (i) the company’s operations and security posture; (ii) the specifics of the data breach itself and (iii) the requirements of the GDPR. Notifying DPAs should be done without undue delay and no later than 72 hours after having become aware of the data breach.
Notifying affected data subjects
Additionally, breach reporting does not only relate to DPAs; in certain circumstances, it is highly important to also consider whether notifying data subjects is mandatory. Under the GDPR, such notification must be provided where the data breach is likely to result in a high risk to the rights and freedoms of natural persons, and it must be done without undue delay. The difference between notifying DPAs and data subjects is that the notification threshold is set higher for data subjects and ensures they are protected from unnecessary notification fatigue. In practice, companies must evaluate the risk against factors such as the type of personal data involved, the potential consequences for data subjects, and the likelihood of the risk materialising.
Exceptions to the notification obligation
It is also important to note that the GDPR provides certain exceptions where notifying data subjects may not be required, even where a high-risk data breach has been identified. For example, notification may not be necessary where appropriate technical and organisational measures, such as encryption, were applied to the affected data and rendered it unintelligible to unauthorised persons. Similarly, notification may not be required where the controller has taken subsequent measures ensuring that the high risk is no longer likely to materialise, or where individual notification would involve disproportionate effort, in which case a public communication or similar equally effective measure should instead be used.
Conversely, where notification is required, it should be done in a clear, transparent and easy to understand manner covering the specific contents of Article 34(3). Depending on the circumstances and the contact information available, notifications may be sent through various channels; however, where an email address is available, email communication is generally considered one of the most effective and practical methods for notifying affected data subjects.
Conclusion
As a final note, in a GDPR context, Articles 33 and 34 are the “go-to” for personal data breaches. That said, navigating these obligations can be complex, and you don’t have to do it alone. You can always reach out to us for assistance; we have hands-on experience in breach handling, meeting reporting obligations and communicating with DPAs.
Sources:
Guidelines 01/2021 on Examples regarding Personal Data Breach Notification
Guidelines 9/2022 on personal data breach notification under GDPR