Episode Ten – Data Breaches
In 2017 there were well over 200 large scale data breaches. The largest of which was the admission that the Yahoo data breach touched every single account, over 3 billion of them. Data breaches affected large and small and included many well know names Hyatt, Deloitte, and Uber to name but a few.
The new General Data Protection Regulation which comes into force next year includes within it, a provision that companies must inform the competent supervisory authority of a personal data breach.
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority […] unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.[…]”
GDPR Article 33
The reasoning for the inclusion of this provision is three fold. Firstly by shining a light on operational failure, controllers have an opportunity to understand the causes of failure, and learn and develop appropriate controls. Secondly data subjects are afforded an opportunity to take steps to protect their own interests and thirdly it provides the regulators with the information they need to be able to undertake their supervisory function.
However businesses do not need to notify the supervisory authority in the event of every breach of personal data. Article 4 (12) defines a personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. As such the first question to ask in deciding whether to notify the competent authority is did the data breach actually affect personal data?
The trigger for notification to the supervisory authority is the detection of a breach of personal data. Articles 4 and 33 are another demonstration of the self
re-enforcing nature of the GDPR. It could be argued that by not installing breach detection controls, a company would never have to notify the Supervisory Authority of a data breach, as they would be unable to detect one. However the security principles outlined in Article 5 and the requirement to notify a breach put forward the implicit requirement to put in place breach detection controls.
Having detected a breach a controller needs to establish if it meets the definition of a personal data breach and if so, whether it is likely to cause a risk to the rights and freedoms of data subjects. This evaluation needs to be done within a short window of time, as the controller must notify the Supervising Authority within a 72 hour window.
Speaking with companies, there is a lack of clarity as to when a breach is likely to affect the rights and freedoms of data subjects. Reviewing the text of Article 33 would suggest a very low bar for notification. The reason for this is that the concept of risk is not subject to a severity threshold and the concept of rights and freedoms is particularly broad. Should the data breach affect subjects from a number of EU states, then there is a requirement to inform the supervisory authority in each state.
Clearly for the assessment of the breach and its impact to happen within the required 72 hour window companies would have in place procedures for dealing with a breach of personal data.
When notifying the Supervisory Authority of a breach there is a requirement to supply various pieces of information:
- The nature of the breach
- The categories and approximate number of affected data subjects and affected personal records
- The likely consequences of the breach
- The measures taken or proposed to address the breach, including where appropriate measures to mitigate the possible adverse effects.
Clearly it may not be possible to provide all of the above within the 72 hour window due to the ‘moving nature’ of the data breach event. In this case the Supervisory Authority should be provided with as much information as possible, with further information to follow.
It should also be noted that regardless of whether the data breach merits reporting to the Supervisory Authority, Article 33 requires companies to keep records of ALL data breaches.
Depending on the severity of the breach and the mitigations taken by the affected business there may be a requirement to notify the affected data subjects. Article 34 sets out this requirement; the deciding factor being if the breach is likely to present high risks to the rights and freedoms of the individual. When weighing what constitutes a high risk, Recital 75 offers some guidance making reference to ‘potential physical, material and non-material damages.’ Whilst Recital 76 notes that risk should be evaluated in the context of the ‘nature, scope, context, and purpose of processing.’
One example demonstrating the above would be that whilst the release of a subjects home address is a data breach with a low risk that same data together with dates of travel abroad would be classed as high risk. One takeaway from this is that whilst data points on their own might seem fairly innocuous (home address) when they are coupled with data from other tables/systems/sources (travel dates) the level of risk associated with that data increases.
There are no exceptions to the need to inform the Supervisory Authority however Article 33 sets out exceptions to the need to inform data subjects of the data breach;
- The data is rendered unintelligible to any person who is not authorised to access it, (e.g. by the use of encryption.)
- The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects are no longer likely to materialise.
- Notification would involve disproportionate effort. In such a case, there should instead be a public communication.
It is clear the breach detection and its subsequent recording and notification is an area in which companies should have robust policies and procedures in place ready to be enacted should the need arise. Robust security controls can go a long way to mitigating the requirement to inform data subjects of the breach, something which could cause serious repetitional damage to companies.
Your Journey to GDPR Compliance Series – Missed an Episode? Catch up on demand below:
Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed and a member of the International Association of Privacy Professionals. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.