April 13, 2018

Reporting Data Breach Under General Data Protection Regulation (GDPR)


With the availability of digital technologies today, the amount of personal data that companies hold today is immeasurable. In the fast-moving technological world today, everything about privacy and data protection is significant. It is crucial for companies to delve into the data security measures it takes to protect the personal data it holds. With the General Data Protection Regulation around the corner, focusing on the data security by the companies has become more essential, keeping in mind the hefty sanctions for noncompliance.

The General Data Protection Regulation (GDPR) in Article 33 strictly mandates that ‘In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.’[1] To comply with the 72-hour deadline, it is imperative to understand what is specifically mentioned regarding the same in the Article. Accordingly, the Article 33 focusses on:

  1. Personal Data Breach: Personal Data Breach as defined by the GDPR is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. [2]

  2. Supervisory Authority: The 72-hour deadline is for informing the relevant authorities about the breach. The question which now arises is who these supervisory authorities are, which the Article is talking about. These supervisory authorities could be local or national data protection authorities. In the U.K., for instance, the organization must notify the Information Commissioner’s Office (ICO)[3]. The GDPR defines supervisory authority as ‘Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.’ [4]

    The reporting under GDPR requires certain details to be reported to the supervisory authorities within 72 hours instead of every single detail of the breach. If the company does not have all the details available, it can provide them later. The company should at least give the following information [5], while reporting the authorities within 72-hours:

    1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

    2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

    3. describe the likely consequences of the personal data breach;

    4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

  3. Risk to the Rights and Freedoms of Natural Persons: Article 33 of the GDPR further spills into Article 34 of the regulation which further states that if the rights and freedoms of natural persons are threatened majorly, the controller shall communicate in clear and plain language the nature of the personal data breach to the data subject without undue delay.[6] However, the notification to the data subjects is not required if:

    1. The controller has implemented appropriate technical and organisational protection measures in respect of the personal data affected by the breach (such as encryption).

    2. The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to arise.

    3. It would involve disproportionate effort.

However, the GDPR has not specifically answered the following questions:

  • What would constitute ‘undue delay’ under Article 33?

  • What are the criteria to determine ‘feasibility’ under Article 33?

  • What factors would establish ‘huge risk to rights and freedom of individual’ for the purpose of Article 33 and 34?

  • What would be considered as ‘disproportionate effort’ under Article 34?

__________________________________________
[1]Article 33 (1) of GDPR available at https://gdpr-info.eu/art-33-gdpr/ 
[2]Article 4 (12) of GDPR available at https://gdpr-info.eu/art-33-gdpr/ 
[3] https://www.trendmicro.com/vinfo/in/security/news/online-privacy/do-72-hours-really-matter-data-breach-notifications-in-eu-gdpr 
[4]Article 51 of GDPR available at https://gdpr-info.eu/art-33-gdpr/
Article 33 (3) of GDPR available at https://gdpr-info.eu/art-33-gdpr/
[5]Article 34 of GDPR available at https://gdpr-info.eu/art-33-gdpr/ 


facebook.jpg tweet.jpg linkedin.jpg