Most recent GDPR news stories highlighted the new 72-hour breach notification requirement and the potential €20,000,000 fines. Yes, those are provocative highlights that generate clicks and views, but they don’t provide much guidance for organizations, security compliance officers, and IT security professionals who need to develop a GDPR data breach response plan.
Most of the GDPR concerns organizational measures related to processes, policy, and documentation—also IT Security. But certainly, we can agree that detecting breaches and promptly alerting authorities and individuals falls on the lap of the IT Security professional, right? No. Not exactly.
GDPR Notification Requirements
Before you download or create a GDPR breach notification template, let’s break down what should be considered before you sound that breach alarm and draw a lot of unnecessary attention to you and your organization. Within the context of the GDPR, you need to know:
- What is a breach?
- When you should report breaches to authorities?
- When you should report breaches to individuals?
- What to include in your notification?
Navigating the official GDPR to answer these questions is like walking through a house-of-mirrors. Some articles refer to multiple other articles or even sections of the same article, so you can’t focus on just one section of the GDPR to explain the notification requirements and potential fines. But understanding these five sections are a good place start:
- Recital 12 – Personal data breach (definition)
- Recital 75 – Risk to the rights and freedoms of natural persons
- Article 33 – Notification of a personal data breach to the GDPR supervisory authority
- Article 34 – Communication of a personal data breach to the data subject
- Article 83 – General conditions for imposing administrative fines
What is a breach according to the GDPR?
Data Breach – To most people, a data breach means sensitive/private data has been exposed or stolen. Infamous examples include Yahoo!, the Equifax data breach, and the Target breach in which personal information like email addresses, passwords, social security numbers, and credit card numbers were compromised and are no longer considered confidential.
Personal Data Breach – The GDPR breach definition expands the definition of a data breach to include impacts on the availability and integrity of personal information in addition to confidentiality. Recital 12 of the GDPR states:
“’personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
An example of a breach of availability and integrity would be the 2017 WannaCry ransomware attack. With WannaCry, nobody “ran off” with protected data. Instead attackers encrypted the protected data where it was located and made it inaccessible to organizations who needed it to provide services to their customers. In fact, WannaCry affected thousands of hospital computers and devices including MRI scanners, blood-storage refrigerators, and operating room equipment—impacting their ability to deliver critical services to their customers which by definition affects the “rights and freedoms” of the individuals who trusted the organizations with their personal data.
Another example that would now qualify as a GDPR breach is the Facebook-Cambridge Analytica data scandal, where more than 87 million Facebook users’ personal data was shared with a third-party organization—without clear and explicit permission—and used to influence voter opinions by Cambridge Analytica and politicians who bought the data. This might be considered a breach of confidentiality and integrity within the GDPR (I just call it a blatant breach of trust) and would certainly be GDPR headlines if it happened today.
When should you notify authorities? (GDPR Article 33)
Without “looking at your textbooks” most of you would say that Article 33 requires that authorities should be notified about a personal data breach within 72-hours (if you sit in the front row of the class you might correctly add “once becoming aware of it”). But the devil is in the details. Some clarity:
- The time constraint applies to controllers (not processors) and notification shall be without undue delay where feasible, but not later than 72 hours.
- Processors are responsible for notifying Controllers (not authorities) without undue delay.
- Don’t go overboard if you accidentally shared one email address with the wrong person, you only need to notify authorities if the personal data breach is likely to result in a “risk to the rights and freedoms of natural persons.”
Note: – Notifying authorities within 72-hours doesn’t mean there won’t be fines, but not doing so here is a sure-fire way to ensure there will be fines, potentially maximum allowable.
When should you notify individuals? (GDPR Article 34)
In some cases, Controllers are responsible for notifying individuals (data subjects) in addition to notifying authorities. The details…
- This one only applies to Controllers as GDPR Article 33 (paragraph 2) requires Processors to notify Controllers
- Only required when the personal data breach is likely to result in a high risk to the rights and freedoms of individuals
- Not required if the data is unintelligible to unauthorized people (i.e. data was encrypted, anonymized, or masked prior to breach)
- Not required if the controller has taken measures to ensure the data can no longer result in a high risk to the rights and freedoms of individuals
- If notification is unreasonably difficult and a mass/public notification can be just as effective
Bad news doesn’t get better with age, don’t delay your notification if you don’t have all the required information in a nice little package.
What to include in your notification?
Unlike much of the GDPR, Article 33 is actually pretty clear with regards to what should be included in breach notifications to authorities (what happened, number of individual records, what you have done to stop and prevent subsequent breaches and contact info for your data protection officer or other point of contact).
The important thing to remember is that bad news doesn’t get better with age, so don’t delay your notification. If you don’t have all the required information in a nice little package, it is okay to provide information to authorities in phases. In fact, Section 2(f) of Article 83 (General conditions for imposing administrative fines) clearly states that the manner in which the GDPR supervisory authority is notified of a breach is considered when it comes to associated fines.
“the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;”
I think organizations can easily develop a GDPR data breach policy and GDPR data breach response plan if they start by reading Article 83. It also helps make a case for doing a proper inventory and classification of sensitive data, prioritizing organizational and technical security controls, establishing 24×7 threat monitoring, and of course, thorough documentation every step of the way. (I probably should have started this blog on Article 83!)
Expert help, at your service
If you find all this overwhelming and don’t know where to start to address your GDPR compliance solution, we can help. Once you are ready to go, we’ll help you get up in running in days, so you don’t have to integrate a bunch of security compliance software tools or hire more people.
Note: I am not a lawyer, not even an aspiring lawyer. This blog does not constitute legal advice, only my interpretation and summary of certain requirements of the GDPR. Readers are encouraged to obtain legal advice from a qualified professional in respect to their organization’s obligations.