Data controllers are familiar with their legal obligation to report a personal data breach to the Data Protection Commission ("DPC") when Article 33, GDPR is triggered and where necessary, to notify affected data subjects when Article 34 is triggered.
In this article, Deirdre Crowley, a partner in Matheson’s Data Protection, Privacy and Cyber Security Team considers the key issues to bear in mind when carrying out a risk assessment with a view to establishing what notifications, if any, are required in a personal data breach scenario.
What are the Circumstances in which a Controller must Notify a Breach to the DPC?
Article 33 (1) of the General Data Protection Regulation 2016/679 (“GDPR”), and Section 86 of the Data Protection Act 2018 (“DPA”) require data controllers to notify the Data Protection Commission (“DPC”) of personal data breaches in certain circumstances. To recap, a personal data breach occurs where personal data is accessed, disclosed, altered, lost or destroyed in contravention of an organisation’s obligation to keep personal data in its possession safe and secure.
A controller must notify the DPC when a personal data breach occurs, unless the breach is unlikely to result in a risk to the rights and freedoms of natural person.
When Should the DPC be Notified?
Time is of the essence and controllers must notify the DPC, without undue delay and, where feasible, no later than 72 hours after becoming aware of a data breach. Where the notification to the DPC is not made within 72 hours, a controller must explain the reasons for the delay in writing when notifying the breach out of time.
The DPC is generally taking a strict approach to notification as soon as possible (without undue delay) and certainly within 72 hours of becoming aware of a breach.
We recommend that only very genuine, exceptional circumstances can justify reporting out of time. While there is no statutory definition or case law guidance in relation to what might constitute an acceptable circumstance explaining when the
notification of a data breach can be out of time, it is clear from the recent Twitter decision where
Twitter was fined €450,000 that late notification will be difficult to justify and that the bar is very high.
Even where a breach is not notifiable in a controller’s opinion, there is an obligation to document the facts of the breach, its effects and the remedial action taken (Article 33(5), GDPR). In December 2021, the European Data Protection Board published useful examples of how to approach risk assessments in various data breach scenarios and we recommend that these guidelines ("the Guidelines") are consulted for all risk assessments in relation to personal data breach scenarios. Notably, the Guidelines note that if a controller self-assesses the risk to be unlikely, but it turns out that the risk materialises, the competent SA can use its corrective powers and may resolve to sanctions.
How do I Determine if a Breach is Reportable to the DPC or Not?
The risk assessment to determine whether a breach is reportable or not can be distilled at a very high level in two key steps:
- Is there a risk that the personal data breach will present a risk to a data subject(s) privacy? A data breach is not reportable if it is unlikely to result in a risk to the rights and freedoms of the data subject.
Recital 75 of the GDPR and helpful guidance from the DPC are instructive when assessing the types of risk controllers should take account of. The default position for controllers is that all data breaches are reportable unless they are unlikely to result in a risk to the rights and freedoms of natural persons (meaning a data subject).
- Identify the extent of the breach, the effects of the breach, and any remedial steps taken.
Overview of the Key Risk indicators in a Data Breach Risk Assessment:
- Confirmation of the type and nature of the personal data, including whether sensitive personal data has been breached;
- The circumstances of the personal data breach – is it limited to the Irish jurisdiction or is it a cross border issue?;
- Whether an uncorrupted secure back of data exists and whether data is rendered unintelligible to unauthorised third parties by reason of state of the art security measures implemented – check if dual authentication, encryption or Pseudonymisation or other security measures are in place;
- The ease of direct or indirect identification of data subjects;
- The likelihood of the reversal of Pseudonymisation or loss of confidentiality;
- The likelihood of identity fraud or similar misuse of the personal data occurring;
- Whether the personal data could be, or are likely to be, used maliciously;
- The likelihood that the breach could result in, and the severity of, physical, material, or non-material damage to data subjects; and
- Whether the breach could result in discrimination, damage to reputation, or harm to data subjects’ other fundamental rights.
What Information Must I Provide to the DPC When Notifying a Data Breach?
The DPC recent published a new data breach notification form that sets out in some detail the information to be provided further to the information required to be submitted in lien with Article 33, GDPR. Where all information is unavailable but it is clear that a security incident is notifiable, it is possible to furnish further information to the DPC in phases without delay (Article 33(4), GDPR).
Key changes of note include the abolition of a separate cross border notification forms and the streamlining of both domestic and cross border notifications into one form. The DPC’s request for specific information in the new form is more granular and is designed to avoid follow up queries from the DPC where possible.
Examples of Likely Risk Factors that would Trigger a Notification to a Data Subject
- Identity theft or fraud;
- Financial loss;
- Unauthorised reversal of Pseudonymisation;
- Damage to reputation;
- Loss of confidentiality of personal data protected by professional secrecy; or
- Any other significant economic or social disadvantage to the natural person concerned that limits their data subject rights.
For further guidance on “likely to result in a high risk” processing operations, see Article 29 Working Party Guidelines dealing with how to assess risk in the context of preparing a Data Protection Impact Assessment (DPIA).
What Minimum Information must be in a Notification to a Data Subject?
- The name and contact details of the data protection officer, or other relevant contact point;
- The likely consequences of the personal data breach; and
- The measures taken, or proposed to be taken, by the controller to address the personal data breach including, where appropriate, measures to the data subject may need to take to mitigate any potential adverse effects (Article 34 (2), GDPR).
What are the Circumstances in which a Controller is Not Required to Report a Breach to a Data Subject?
- The controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
- The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.
- Notification to data subjects would involve disproportionate effort. In this scenario, a controller is obliged to issue a public communication or similar measure whereby the data subjects are informed in an equally effective manner (Article 34 (3) (a) – (c) of the GDPR) and may be required to explain why personal notification was a disproportionate burden to the DPC.
We recommend that organisations conduct frequent data breach simulations to road-test the organisation’s ability to meet its very clear notification obligations on time.
Having up to date Article 30 records, accurate data mapping and state of the art security will mean that a controller is well placed to meet the challenges of a personal data security incident.
The recent December 2021 EDPB Guidelines note the importance of having a “Handbook on handling Personal Data Breach” such that a controller is aware of each facet of processing at each major stage of a data processing operation. The Guidelines note that having a handbook of this kind will provide a quick source of information to controllers to best position them to mitigate risk and deal with reporting obligations without undue delay.
Having advised on multiple serious personal data security breaches, we applaud the EDPB’s practical observations in this regard and confirm the very real benefit for controllers in data breach scenarios, including in cyber security related breaches, in having up to date and accurate data protection compliance documentation.
For further assistance in relation to any issues raised in this article, please do not hesitate to contact Deirdre Crowley or any member of Matheson’s Data Protection, Privacy and Cyber Security Team.