The Article 29 Working Party’s draft guidance on Breach Notification under the General Data Protection Regulation (GDPR) provides welcome recognition of the need to do incident response and mitigation in parallel with any breach notification rather than, as I’ve been warning since 2012, giving priority to notification. Now the Working Party is explicit that “immediately upon becoming aware of a breach, it is vitally important that the controller should not only seek to contain the incident but it should also assess the risk that could result from it”. And in reporting “the focus should be directed towards addressing the adverse effects of the breach rather than providing precise figures.”
The guidance confirms the GDPR’s wide definition of security breach: “this can include loss of control over [individuals’] personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals”. It also clarifies that events affecting the availability of personal data – e.g. ransomware, loss of decryption key and denial of service attacks – qualify as breaches, and may need to be reported if they affect individuals’ rights, for example by causing the cancellation of a hospital operation.
The GDPR expects breaches that create a risk to individual rights to be reported to the relevant national data protection authority within 72 hours of the data controller becoming aware of the breach. According to the Working Party, that is “when that [data] controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”. If a breach is suspected, but the controller does not yet have clear evidence that personal data have been affected, the “controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred”, but this must be done “as soon as possible”. Remedial action and reporting should be started as soon as there is “a reasonable degree of certainty”: controllers should not wait until complete details have been obtained.
The GDPR also requires that where a breach represents a high risk to individuals (for example “discrimination, identity theft or fraud, financial loss [or] damage to reputation”), they must be notified, either individually or through a public notice. The Working Party gives examples of the kinds of notification expected: “direct messaging (e.g. email, SMS, direct message), prominent website banners or notification, postal communications and prominent advertisements in print media. A notification solely confined within a press release or corporate blog would not be an effective means of communicating a breach to an individual”. The GDPR does not set specific time limits for notifying individuals, and the Working Party recognises that this will depend on the “nature of the breach and the severity of the risk”: “if there is an immediate threat of identity theft, or if special categories of personal data are disclosed online, the controller should act without undue delay to contain the breach and to communicate it to the individuals concerned … In exceptional circumstances, this might even take place before notifying the supervisory authority”. In less urgent cases data controllers can seek advice, as part of their notification to the data protection authority, on whether they need to notify individuals.
The Working Party is clear that this will require organisations to have and follow documented incident response plans: “Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary”.