A dose of fear is warranted, however, and might push companies to implement better data protection methods so that breaches do not happen in the first place.
Today we are going to examine some of the most cited and oft-misunderstood provisions of the GDPR regarding data breaches. They may not make you feel easier, but at least you will know what is going on… but this time for sure.
You must notify the supervisory authority any time a breach occurs
While the GDPR is rather strict when it comes to plenty of its provisions, there is some reasonable leeway allowed. For example, unlike what is commonly taught, you are not required to report all data breaches to the supervisory authority.
You are required to notify the supervisory authority of a data breach unless its impact is deemed to be insignificant, without the risk of rights and freedoms to the data subjects. In practice, this includes data whose loss or breach would present only a minor annoyance to the individuals, and if this data were to end up in the wrong hands, it would not upset them at all. If you can imagine their data used in any malicious way, such as for identity theft, a swift response and notification is mandatory.
Obviously, if you feel uncertain about the level of significance of the data, as we presume will be the case with most SMEs, it would be the best to report the breach in any case. We expect regulators to come out with concrete guidelines for impact assessment, as currently there are no strict guidelines and most companies do not feel knowledgeable enough to assess the impact on their own, especially under the threat of huge fines if they guess wrong. This is in the interest of the supervisory authorities as well, since they face the risk of being overburdened with reports of trivial data breaches.
The breach notification should take place within 72 hours after a breach has been detected; the sooner, the better. Any delays in reporting should be justified and adequately documented.
You must notify all the individuals whose data is at risk
Article 34(1) mandates the notification of all the individuals whose data has been affected if such a breach would result “in a high risk to the rights and freedoms of natural persons”. The notification should be without undue delay.
Furthermore, you should phrase a notification in clear and easily understandable language. No ‘legalese’ is welcome, and do not try to ‘sugarcoat’ the fact that a breach has occurred. Supervisory authorities certainly will not look upon kindly on such manipulation.
It is obvious from above that notification is not necessary in the case of low or insignificant risk to the freedoms of the individuals, but there are more provisions designed to ease the stress on the organizations who must report.
Under the GDPR, if the breach affects many individuals and it would be either impossible or unfeasible to contact all of them individually, you can inform them via a public communication. This can be a press release or a general notification on your website that users will see when they try to log in. Make sure the communication is effective, though. CEOs must respond to a data breach properly and decisively.
Also, the risk threshold for individual notification is higher than for supervisory notification. Some data breaches may require a supervisory authority to be notified, but not all affected individuals. If you have adequately encrypted the data, or applied pseudonymisation methods, then notifying the individuals is also not mandatory, as the data is deemed to be safe enough.
A breach notification can contain details at your discretion
It might be tempting to list only the favourable details – such as what you did to mitigate the data breach – the mandatory report content has been outlined in Article 33(3).
Your report should contain contact details of a data protection officer (if you have one) or a privacy contact point. You should describe the potential consequences and gravity of the breach. Then, you should list the measures you are planning to take or have undertaken to mitigate and address the consequences of the breach.
Even if you do not have all the information on hand, submit your report anyway. You are allowed to submit information in phases. It is much better to submit what you have on time than wait for all the relevant details and miss a deadline.
A data breach only refers to hacking
The term ‘data breach’ sounds a bit misleading and evokes images of hackers ‘breaking into’ company servers and siphoning data from them. However, the term refers to “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4(12)).
This means that an employee mishandling data could also constitute a data breach. Theft of company laptops can also fall under the scope of the definition, as well as improper deletion of user data (disposal of improperly sanitized hard drives or writable media).
Data breaches are easy to deal with
Data breaches are notoriously difficult to handle. If they are severe enough, they might damage the very existence of the company. Damage to reputation can be significant, as well as the economic losses stemming from it – the loss of potential clients and shaken trust of existent ones. In some cases, you open yourself up for damage lawsuits.
And that is without even taking into account the potential fines. If you fail to notify the supervisory authority in time, you could face a fine of EUR 10 million or 2 percent of your company’s global annual turnover, whichever is higher. Grave negligence of basic principles for data processing carries the risk of double the aforementioned fine.
Do not forget the tight reporting periods. While your team probably have their hands full diagnosing and handling the breach, they simultaneously also have to document and report everything to the supervisory authorities. This puts immense pressure on you and your company.
The above means that the best way of handling data breaches is not to experience them in the first place. Sound data handling policies can help with that. Do not risk it all in a single data breach – invest a little in sound security policies by ensuring compliance with the GDPR and never lose sleep over the risk of a data breach. Such an investment will pay for itself several times over.