Data breach guidance likely to influence emerging market practice around the terms of data processing contracts under GDPR, says expert

The draft guidelines on the notification of personal data breaches issued by the Article 29 Working Party are likely to spur changes in market practice. The guidelines, open to consultation, are intended to have effect once the General Data Protection Regulation (GDPR) begins to apply on 25 May 2018.

The Working Party's proposals challenge existing assumptions held by many suppliers over when their clients would be said to be aware of data breaches that they, as processors, experience. Currently, many suppliers believe that their customers only become aware of data breaches they experience from the point at which a supplier reports those incidents to its customer.

That view, however, is not shared by the EU data protection watchdogs that make up the Working Party.

When controllers are said to be aware of personal data breaches is important because the GDPR will introduce new deadlines for those organisations to notify those incidents to data protection authorities and data subjects. The GDPR will apply from 25 May 2018.

Specifically on notifying the authorities, the GDPR states that controllers are generally required to notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".

The Working Party said that controllers would be said to be 'aware' of a data breach "when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised". It said this would depend on the circumstances of individual breaches.

Where controllers outsource the processing of personal data to other companies, they will be said to be 'aware' of data breaches experienced by those processors as soon as the processors themselves recognise the breach, according to the Working Party's proposals.

The Working Party recommended that processors make "immediate notification" of breaches to controllers and follow up with "further information about the breach provided in phases as information becomes available" to help controllers meet their duties to report data breaches. It did not provide further clarity on what it meant by 'immediate'.

Currently, it is not unusual for data processing contracts to require processors to report data breaches to controllers within 72 hours of that breach being identified.

Often the large technology suppliers that deliver the data processing function are reluctant to agree to shorter deadlines for notification on the basis that they themselves need time internally to investigate the incident and establish that a breach has occurred, and that the breach is disclosable under the terms of their contracts.

The controllers often push for shorter timeframes – typically 24 hours – for notification in contract negotiations, recognising that the earlier they are informed about an incident the earlier they can carry out their own incident response plans, mitigate negative effects of a breach and meet any regulatory obligations to notify those incidents – businesses in the financial services and telecoms markets, for example, already have to disclose certain data breaches to regulators.

These market practices and negotiating positions have been built on the assumption that controllers are not said to be aware of data breaches at their processors until the processor reports those incidents to them. According to this position, in legal compliance terms, the clock for notification by the controller would not begin to tick until they receive the processor's notification.

The Working Party's draft guidance will demand a rethink of the contractual terms to include in data processing contracts by both controllers and processors.

Controllers will no longer be willing to accept a 72 hour window for processors to disclose breaches to them. Such contracts would not pass a legal and compliance check as they would leave the controllers with insufficient time of their own to report those incidents to data protection authorities in line with the requirements of the GDPR.

In any case, processors notifying a data breach to controllers 72 hours after identifying the breach would unlikely be considered to have made "immediate notification", as the Working Party suggested they should do in its draft guidance, albeit that the processor's statutory obligation under the GDPR will be to notify its processor "without undue delay".

In practice, the Working Party's draft guidance, if finalised in current form, will force processors to become more efficient in terms of how they respond to data breaches and notify controllers.

As a minimum we can expect that technology suppliers will move to a contractual commitment of notification within 24 hours, but it is possible that the market will shift towards even shorter deadlines. Technology suppliers could potentially commit to notification within a few short hours to conform to the "immediate notification" guidelines and undercut rival providers in a bid to secure more business from compliance-conscious customers.

The onus will therefore be on processors to review their systems and processes for handling data breaches so as to cut the time it takes to reach the trigger point for notification to controllers.

There is a compliance risk for controllers to consider too in terms of their obligations to report data breaches in an outsourcing context.

Under the GDPR, controllers are required to contractually oblige processors to assist them to meet their data breach notification obligations.

Controllers will need to ensure that the wording of those contracts sets a very specific timescale for breach notification so that they can demonstrate to regulators that, in cases where processors make untimely disclosures of breaches that cause the controllers to miss their own notification deadline, that the delay was due to the processor falling foul of its contractual obligations to notify within a set period of time, as opposed to the contractual obligation to notify being non-specific or overly generous on timescale. 

If the terms of those clauses are insufficiently specific about the nature of incidents that processors are obliged to report, or the timeframes within which they are obliged to disclose them, then, potentially, the data protection authorities could hold the controllers liable for failure to notify a personal data breach, even where that delay to notify was caused by the processor.

Kathryn Wynn is a data protection law specialist at Pinsent Masons, the law firm behind Out-Law.com.