GDPR: Businesses will be considered 'aware' of data breaches when their data processors notice the breach, says watchdog

Out-Law News | 20 Oct 2017 | 8:38 am | 3 min. read

Businesses that outsource the processing of personal data to other companies will be said to be aware of data breaches experienced by those processors as soon as the processors themselves recognise the breach, according to proposed new guidance.

The draft guidance, published by EU data protection watchdogs, is aimed at explaining the obligations organisations will face to report data breaches under the forthcoming General Data Protection Regulation (GDPR). The GDPR will begin to apply on 25 May 2018.

At the moment, only some organisations, such as telecoms companies and financial firms, are obliged to report certain data breaches they experience to regulators. The practice of voluntarily reporting data breaches is, however, considered good practice for other organisations and can help them avoid a higher fine should the breach later come to the attention of regulators and failings in data security are found.

Under the GDPR, however, a new data breach notification regime will apply to mandate the reporting of certain data breaches to data protection authorities and affected individuals.

A personal data breach is defined under the Regulation as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

Under Article 33 of the Regulation, data controllers are generally required to notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".

Where personal data processing has been outsourced, data processors would, "without undue delay after becoming aware of a personal data breach", have to inform the data controller of the incident, according to the Regulation.

The Article 29 Working Party, which is a committee made up of representatives from data protection authorities based across the EU, has now issued draft guidance in an effort to clarify what those provisions mean in practice.

The Working Party said that data controllers would be said to be 'aware' of a data breach "when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised". It said this would depend on the circumstances of individual breaches.

In cases where the data processing has been outsourced, data controllers would nevertheless be considered to be 'aware' of a breach "once the processor has become aware", it said.

The Working Party recommended that data processors make "immediate notification" of breaches to data controllers and follow up with "further information about the breach provided in phases as information becomes available" to help data controllers meet their duties to report data breaches. It did not provide further clarity on what it meant by 'immediate'.

The Working Party said that it is open to data controllers to enable data processors to "make a notification on [their] behalf". However, the "legal responsibility to notify" will remain with data controllers in such cases.

The watchdog also endorsed a phased approach to notification of data breaches.

"The GDPR recognises that controllers will not always have all of the necessary information concerning a breach within 72 hours of becoming aware of it, as full and comprehensive details of the incident may not always be available during this initial period," the Working Party said. "As such, it allows for a notification in phases. It is more likely this will be the case for more complex breaches, such as some cyber security incidents where, for example, an in-depth forensic investigation may be necessary to fully establish the nature of the breach and the extent to which personal data have been compromised."

"Consequently, in many cases the controller will have to do more investigation and follow-up with additional information at a later point. This is permissible, providing the controller gives reasons for the delay," it said.

Delayed notification of data breaches is permissible in some circumstances, but not routinely, the watchdog said. It gave an example of where an organisation, when investigating one data breach, also uncovers additional similar breaches.

"Depending on the circumstances, it may take the controller some time to establish the extent of the breaches and, rather than notify each breach individually, the controller instead organises a meaningful notification that represents several very similar breaches, with possible different causes," the Working Party said. "This could lead to notification to the supervisory authority being delayed by more than 72 hours after the controller first becomes aware of these breaches."

"Strictly speaking, each individual breach is a reportable incident. However, to avoid being overly burdensome, the controller may be able to submit a 'bundled' notification representing all these breaches, provided that they concern the same type of personal data breached in the same way, over a relatively short space of time. If a series of breaches take place that concern different types of personal data, breached in different ways, then notification should proceed in the normal way," it said.

Further draft guidelines on automated individual decision-making and profiling under the GDPR was published by the Working Party alongside the draft guidance on data breach notification. Both sets of draft guidelines are open to consultation until 28 November.