Compared to the current legal framework, the GDPR contains stricter obligations with regard to data security, data breach notifications, and data subject notifications. Therefore, many companies have already started preparing compliance, given that many of these obligations will require time to implement.
The GDPR requires both data processors and data controllers to implement appropriate security measures on every level of data processing.
In this regard, the GDPR provides specific suggestions such as, but not limited to:
- The pseudonymization and encryption of personal data.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, for example, approved and tested codes of conduct, certifications, and guidelines.
In assessing the appropriate level of security, data controllers and data processors are required to take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
In particular, the risk would be higher for large-scale processing operations involving considerable amounts of personal data because a data breach could affect a large number of data subjects. For example, a hospital’s storing of patient files in the cloud has a higher risk than a local, independent hairdresser’s customer loyalty program because of the large scale processing of the operation and the sensitive nature of the patient data of a hospital.
Data Breach Notification
A data breach is a security incident in which sensitive, protected, or confidential personal data is intentionally or unintentionally released to an untrusted environment or copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.
Such incidents range from concerted attacks with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media.
Under the GDPR, the data controller must notify any data breach to the supervisory authority without undue delay and, where feasible, within 72 hours as from the time the controller became aware of the breach. If this timeframe is not met, the untimely notification must be substantiated by reasons justifying the delay.
The data breach notification must contain information including, among others:
- the nature of the personal data breach, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- a description of the likely consequences of the data breach;
- a description of the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
There is one key exception to the notification obligation. Notification is not required if the data breach is unlikely to result in a “risk to the rights and freedoms of natural persons”. The preamble of the GDPR states that a risk to the rights and freedoms of individuals can consist of physical, material, or non-material damage such as identity theft or fraud, financial loss, discrimination, or reputational damage.
Lastly, the data controller must also maintain an internal data breach register, allowing the supervisory authority to verify compliance with the GDPR if needed.
If the data processor becomes aware of a data breach, it must notify the data controller about it. The data processor itself has no other notification or reporting obligations.
Data Subject Notification
In certain instances, the GDPR also requires that data breaches caused to data subjects be notified. If the data controller has determined that the data breach “is likely to result in a high risk to the rights and freedoms of individuals”, it must also communicate— without undue delay—the information regarding the data breach to the data subjects affected by it.
The GDPR does not further specify the distinction between “high risk” with regard to data subject notification and “risk” with regard to data breach notification. Therefore, this phrase will surely become the subject of many discussions regarding the necessity of a data subject notification obligation.
The GDPR sets forth three exceptions whereby the data controller must not be required to notify data subjects:
- the data controller has implemented appropriate technical and organizational protection measures that render the data unintelligible to any person who is not authorized to access it, such as encryption;
- the data controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize, such as the full recovery or destruction of the leaked data, so that the data is not in the hands of a third party;
- when notification to each data subject would involve disproportionate effort, in which case alternative communication measures may be used, such as a public information campaign.
To Do List
The practical implementation of the requirements under this section is challenging. This is not in the least because of the ambiguity of certain terms such as “undue delay”, “likelihood of/(high) risk to rights and freedoms”, and “disproportionate effort”, which remain to be further clarified and defined in practice.
Also, companies might want to prepare themselves to meet these additional requirements by:
- developing clear policies and procedures to ensure a timely reaction to data breaches, including notification procedures, incident identification systems, and incident response plans;
- practicing and testing such procedures on a regular basis;
- investing in the implementation of appropriate technical and organizational measures to ensure data security.
To read more about this series of articles (and the articles that were published previously), please click here.