There is a requirement placed on data controllers to understand their legal obligations to report a personal data breach to the Data Protection Commission ("DPC") and to affected data subjects clearly, accurately and most importantly, within the prescribed time limits.
In this article, Technology and Innovation Partner Deidre Crowley answers the key questions relating to why, when and how data controllers should notify the DPC and their data subjects of a personal data breach.
What are the Circumstances in which a Controller must Notify a Breach to the DPC?
Article 33 (1) of the General Data Protection Regulation 2016/679 (“GDPR”), and Section 86 of the Data Protection Act 2018 (“DPA”) require data controllers to notify the Data Protection Commission (“DPC”) of personal data breaches in certain circumstances. To recap, a personal data breach occurs where personal data is accessed, disclosed, altered, lost or destroyed in contravention of an organisation’s obligation to keep personal data in its possession safe and secure.
A controller must notify the DPC where the data breach presents a risk to the rights and freedoms of data subjects.
When Should the DPC be Notified?
Time is of the essence and controllers must notify the DPC, without undue delay and, where feasible, no later than 72 hours after becoming aware of a data breach. Where the notification to the DPC is not made within 72 hours, a controller must explain the reasons for the delay in writing when notifying the breach out of time.
The DPC is generally taking a strict approach to notification within 72 hours of becoming aware of a breach. We recommend that only very genuine, exceptional circumstances can justify reporting out of time. While there is no statutory definition or case law guidance in relation to what might constitute an acceptable circumstance explaining when the notification of a data breach can be out of time, it is clear from the recent Twitter decision where Twitter was fined €450,000 that late notification will be difficult to justify and that the bar is very high.
How do I Determine if a Breach is Reportable to the DPC or Not?
The risk assessment to determine whether a breach is reportable or not can be distilled at a very high level into two key steps:
- Identify whether there is a risk of a data breach affecting data subjects. The data breach is reportable to the DPC unless the data breach is unlikely to result in a risk to the rights and freedoms of the data subject. The default position for controllers is that all data breaches are reportable unless they are unlikely to result in a risk to the rights and freedoms of natural persons (meaning a data subject).
- Identify the extent of the breach, the effects of the breach, and any steps taken in response by the controller.
The only circumstance in which a data breach is not reportable to the DPC is when the personal data breach is not likely to result in a risk to the rights and freedoms of natural persons. Recital 75 of the GDPR and helpful guidance from the DPC are instructive when assessing the types of risk controllers should take account of.
Below are key risk indicators:
- Confirmation of the type and nature of the personal data, including whether sensitive personal data has been breached;
- The circumstances of the personal data breach;
- Whether or not the personal data had been protected by appropriate technical measures, such as encryption or pseudonymisation;
- The ease of direct or indirect identification of data subjects;
- The likelihood of the reversal of pseudonymisation or loss of confidentiality;
- The likelihood of identity fraud or similar misuse of the personal data occurring;
- Whether the personal data could be, or are likely to be, used maliciously;
- The likelihood that the breach could result in, and the severity of, physical, material, or non-material damage to data subjects; and
- Whether the breach could result in discrimination, damage to reputation, or harm to data subjects’ other fundamental rights.
What Information Must I Provide to the DPC When Notifying a Data Breach?
There is certain information that must be provided to the DPC when notifying a data breach.
At a high level, the information that must be provided under Article 33 (3) of the GDPR is as follows:
- Details of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- The name and contact details of the data protection officer or other contact point where more information can be obtained;
- The likely consequences of the personal data breach; and
- The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Additionally, the DPC requests the following when notifying a data breach by way of the breach notification form:
- Details of the data controller, including whether the controller has establishments in other EEA states, and the sector in which the organisation operates (eg, private sector, public sector);
- Details as to how the controller was made aware of the breach;
- Details of the relevant security and organisational measures in place prior to the breach;
- Details as to whether personally identifying data relating to individuals was disclosed, whether any special categories of data were disclosed, and whether data subjects in another EU member state are likely to be impacted;
- Details of any deficiencies in the organisational or technical measures identified as a result of the breach; and
- Whether the breached data has been secured or retrieved, and if not, the reason for failure to secure or retrieve the data.
Of note, the DPC announced in a guidance note published on 15 September 2021 that it is due to publish a new breach notification form. The DPC confirmed that the following revisions will be made to the breach notification form:
- Inclusion of screening questions to assist controllers in determining whether a breach notification is required to be made;
- Merging of the “national” and “cross-border” breach web-forms into a single form;
- Detailed options presented to users when selecting the type, nature and cause of the incident and the types of data involved; and
- Increased character limits for fields requiring expansive answers.
The DPC has yet to confirm when the new form will be in use.
What are the Circumstances in which a Controller must Notify a Breach to a Data Subject?
Article 34 (1) of GDPR, and Section 87 of the DPA, require controllers to inform data subjects of breaches of their personal data. When a data breach is likely to result in a high risk to the rights and freedoms of the data subject, the breach must be reported to them without undue delay.
Recital 85 of GDPR is helpful in assessing what constitutes a high risk to data subjects. Recital 85 provides examples of circumstances in which data subjects suffer material and non-material damage as a result of a breach. Examples include:
- Loss of control over personal data;
- Limitation of data subject rights;
- Identity theft or fraud;
- Financial loss;
- Unauthorised reversal of pseudonymisation;
- Damage to reputation;
- Loss of confidentiality of personal data protected by professional secrecy; or
- Any other significant economic or social disadvantage to the natural person concerned.
Article 34 (2) of the GDPR sets out key information that needs to be included in the notification to the data subject. The communication to notify the data subject of the breach must be written in clear and plain language and, at a minimum, must contain the following information:
- The name and contact details of the data protection officer, or other relevant contact point;
- The likely consequences of the personal data breach; and
The measures taken, or proposed to be taken, by the controller to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects.
What are the Circumstances in which a Controller is Not Required to Report a Breach to a Data Subject?
Article 34 (3) (a) – (c) of the GDPR provides three limited exceptions to the obligation to notify data subjects of personal data breaches.
Controllers are not required to inform data subjects of personal data breaches where:
- The controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
- The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.
- Notification to data subjects would involve disproportionate effort. In this scenario, a controller is obliged to issue a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
We recommend that organisations conduct frequent data breach simulations to road-test your organisation’s ability to meet its very clear reporting requirements and deadlines. The key documentation required for reporting purposes should also form part of all organisation’s routine data protection audits and privacy reviews to ensure that controllers are ready to go in the event of a data breach.
For further assistance in relation to breach notification obligations and data subject notification obligations, please do not hesitate to contact Deirdre Crowley or any member of Matheson’s Data Protection, Privacy and Cybersecurity Team.