Out-Law News 3 min. read
06 Sep 2017, 1:17 pm
Elizabeth Denham said the data breach notification regime under the General Data Protection Regulation (GDPR) "will raise the level of security and privacy protections across the board". The GDPR will apply from 25 May 2018.
Denham rejected suggestions that the new requirements are "all about punishing organisations".
"Personal data breach reporting has a strong public policy purpose," Denham said in a new blog. "The law is designed to push companies and public bodies to step up their ability to detect and deter breaches. What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities."
"The public need to have trust and confidence that a regulator is collecting and analysing information about breaches, looking for trends, patterns and wider issues with organisations, sectors or types of technologies. It will help organisations get data protection right now and in the future," she said.
Denham said the Information Commissioner's Office (ICO) is currently working with other data protection watchdogs from across the EU to "produce guidance that will set out when organisations should be reporting, and the steps they can take to help meet their obligations under the new data breach reporting requirement". The ICO has already published brief guidance on the topic. Denham urged businesses to think about what measures they need to have in place to comply with the new duty to report certain data breaches under the GDPR.
"You should be preparing now by ensuring you have the roles, responsibilities and processes in place for reporting; this is particularly important for medium to large organisations that have multiple sites or business lines," Denham said.
At the moment, only some organisations, such as telecoms companies and financial firms, are obliged to report certain data breaches they experience to regulators. The practice of voluntarily reporting data breaches to the ICO is, however, considered good practice for other organisations and can help them avoid a higher fine should the breach later come to the ICO's attention and failings in data security are found.
Under the GDPR, however, a new data breach notification regime will apply to mandate the reporting of certain data breaches to data protection authorities and affected individuals.
A personal data breach is defined under the Regulation as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Under Article 33 of the Regulation data controllers are generally required to notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".
Where personal data processing has been outsourced, data processors would, "without undue delay after becoming aware of a personal data breach", have to inform the data controller of the incident. In practice, therefore, data processors would have to report every personal data breach that occurs on their watch to data controller and data controllers would then have to report breaches that are likely to 'result in a risk to the rights and freedoms of natural persons' to the authorities.
Information to be disclosed will include details of the nature of personal data breaches, including what categories of people the incident concerns, how many people are impacted and the type and approximate number of records exposed.
A higher threshold for notifying affected members of the public of data breaches will apply under the Regulation.
Data breaches must be "likely to result in a high risk to the rights and freedoms of natural persons" before notification would be required, but there are further conditions set out in the legislation to restrict the circumstances in which notification would need to be made.
If data controllers have applied "appropriate technical and organisational protection measures" to the personal data affected by a breach then they would not have to notify data subjects about those incidents. This includes cases, for example, where encryption has been applied to data to render it "unintelligible to any person who is not authorised to access it", according to the Regulation.
Alternatively, if data controllers take action after a breach to "ensure that the high risk to the rights and freedoms of data subjects … is no longer likely to materialise" then notification of those incidents to data subjects would not be mandatory.
When the threshold for notification to data subjects is triggered, notification must be made by data controllers without undue delay.