Will entities be required to report any serious contraventions of the GDPR to the regulators and to data subjects affected?
According to Article 33.1 of the GDPR reporting those contraventions will not be required in all cases, but only if the breach in question implies a risk to the rights and freedoms of the individuals whose data have been affected by the contravention.
The Article 29 Working Party has clarified that there is a “risk to the rights and freedoms” if the breach can lead to physical, material, or non-material damage to the individuals whose data have been breached. Any such risk should appear to be related to a third party’s non-authorized access to the individual’s information, leading to the violation of that individual’s rights to privacy or any other relevant right (e.g., economic loss derived from the use of a credit card number of an individual whose data have been unduly accessed). When evaluating this risk, one should do so on the basis of an objective assessment while taking into account criteria such as the type of breach, the nature, sensitivity, and volume of personal data concerned, the ease of identification, the severity of consequences for individuals, etc.
Hence, according to this approach, incidents that have no consequences on the rights and freedoms of individuals (e.g., loss of information, without any third party having accessed to such data) should not be reported under the GDPR.
Stibbe, together with Chiomenti, Cuatrecasas, GIDE and Gleiss Lutz, have gathered this useful information, reflecting some common misconceptions about the implementation of the GDPR.