What to do to prevent and react to a data breach under the GDPR?
A detailed data mapping activity as well as internal and external cyber risk and reporting procedures are necessary to handle a potential data breach at the time of the EU Privacy Regulation.
Updated on 7 March 2018 after the publication of the final version of the guidelines on data breach notification of the Article 29 Working Party
I already discussed in a previous blog post of the relevance of cyber risk nowadays. According to a report by Symantec, there were more than 430 million new malware variants in 2015 with 318 total data breaches and more than 429 million identities exposed to cyberattacks. Therefore, it is certain that any company in the world will suffer sooner rather than later a cyberattack. The issue is how the company will react to it and be able to minimise the potential negative consequences.
As part of the series of blog posts on the major changes introduced by the EU Data Protection Regulation (GDPR), below is an article on how to handle a “data breach” and a video summary (in Italian) of the topic as part of my video series named “Diritto al Digitale”
What is a data breach?
The GDPR defines a personal data breach as
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed“
Based on the above definition, a data breach
- is only taking place when it relates to personal data and no illegal access to any data would be relevant and
- might occur not only in case of major cyber attacks that lead to the unauthorised access to personal data, but also if one of our employees, agents or contractors leaves its computer or its memory stick on the train/plane and this is not encrypted or cannot be remotely locked and
- is not necessarily due to the access to personal data that is electronically stored and could happen even if for instance an HR manager leaves the door of his office open with the payslips of all the employees on his desk and they are stolen.
Also, the article 29 Working Party clarified the definition of loss of personal data as the scenario where
“the data may still exist, but the controller has lost control or access to it“
making at least an arguable example where “the only copy of a set of personal data has been encrypted by ransomware, or has been encrypted by the controller using a key that is no longer in its possession“. This means basically that a data breach might occur even if none would be able to get access to the affected personal data and therefore no loss of personal data to the benefit of someone would have taken place. This does not mean that the data breach notification obligation would automatically be triggered in such case, but it means that the matter shall be treated as a data breach and it should be assessed whether depending on the potential consequences a data breach notification is required.
Yet, data protection authorities argue that even a temporary loss of personal data due for instance to a power failure or a denial of service attach would fall under the definition of a data breach. Indeed, the GDPR requires to out in place measures able to ensure the ongoing confidentiality of personal data and to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. It is likely that a minor temporary unavailability of personal data will not lead to a notification obligation, but it shall be assessed as data breach.
Are you able to track data and their usage in your systems and in your suppliers’ systems?
The article 29 Working Party emphasized that the GDPR requires to adopt adequate security measures and that
“a key element of any data security policy is being able, where possible, to prevent a breach and , where it nevertheless occurs, to react to it in a timely manner“.
If a company does not have a full picture at any time of
- who is processing personal data on its behalf,
- where data is stored,
- how data is processed and
is not able to identify potential misbeaviours by means for instance of data leakage technologies as well as the monitoring of log files, the prevention, identification and reaction to a potential data breach becomes impossible.
And the matter becomes particularly tricky when it comes to IT suppliers and in particular cloud providers as well as agents and subagents. Indeed
- Cloud providers have historically been reluctant from accepting any kind of obligation to use dedicated servers for the offering of their service. But the EU General Data Protection Regulation obliges data controllers to provide their audit right in the data processing agreements with processors (including cloud providers) and to exercise an actual control on them. It will be interesting to see how cloud providers will handle the matter and the risk is that the GDPR will set the end of the fully open cloud;
- Agents are usually small companies which have in turn a network of sub-agents that are self-employees without any organisation or IT infrastructure. It will be crucial the setting up of a “safe environment” where the data controller can
- make sure that personal data of its clients/employees are accessed only for instance through its dedicated portal and cannot be lost on devices/printed documents that are impossible to map and
- have a full understanding at any time of who is processing the personal data of its clients/employees and that any of those entities/individuals
- committed to comply with privacy laws through a data processing agreement (or a sub-data processing agreement in case of sub-processor) or the appointment as persons in charge of the data processing;
- have technical and organisational measures adequate to ensure the protection of personal data and
- have been adequately trained on obligations imposed by privacy regulations.
Are you able to get notified and notify a data breach?
The EU Privacy Regulation obliges in case of occurrence of a data breach to
- notify it to the competent data protection authority without undue delay and, where feasible, not later than 72 hours after having become aware of it where the competent authority
- in case of cross-boarder data breaches, is the one of the leading authority under the one-stop shop rule; and
- in case of companies non-established in the EU, is the one of the country where the company’s representative is based; and
- when this is likely to result in a high risk to the rights and freedoms of natural persons, communicate it to the data subject without undue delay.
The above requires, also according to the Article 29 Working Party, to put in place a procedure able to ensure that
- employees, agents, contractors and whoever processes personal data on behalf of a company are fully aware of what is a data breach, of the risks faced by the company in case of lack of notification and of what to do in case of occurrence;
- a procedure is set up in order to enable a timely internal notification of data breaches (e.g. through a dedicated email address or a hotlinee). And the article 29 emphasizes that the agreement between controller and processor may include requirements for early notification by the processor that in turn support the controller’s obligations to report to the supervisory authority within 72 hours;
- once the notification is received, an incident response plan is immediately activated, reporting the matter to the top management which might be a “privacy committee” made for instance of the DPO, the CISO, the managing director and the heads of the main departments of the company;
- an assessment shall be performed by the persons/committee referred above (i) of the potential risks on individuals deriving from the data breach, (ii) on whether a notification to the data protection authority or a communication to the individuals is necessary and (iii), if so, of how the notification shall be done and at the same time; and
- measures aimed at containing and recovering the data breach are adopted.
A major debate occurred during the drafting of the EU Privacy Regulation on whether the term for the notification/communication had to start from either the occurrence of the event or from its knowledge. The final version of the GDPR refers to the time when the controller becomes aware of it. And according to the article 29 Working Party, during this period of investigation on a data breach, the controller may not be regarded as being “aware” of a data breach. However, the same data protection authorities argue that
“it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place and the possible consequences for individuals; a more detailed investigation can then follow.“
If there is a delay in getting aware of a data breach or assessing it, this circumstance itself would be evidence of the lack of adequate internal security measures. And in particular, the Article 29 Working Party emphasizes that data processors shall immediately notify a data breach to their data controller with the possibility to then integrate the notification on the basis of the information subsequently gathered.
Likewise, if data controllers don’t have a full picture of the data breach at the time of the notification to the data protection authority, they can mention in the notificaton that further information will be provided and in any case data controllers are expected to follow up with the authority on the investigation performed. This might be a quite “tricky” obligation since data controllers definitely do not want to shed the light of the privacy regulator on their company for an event that might end up not to be relevant. Therefore, a case by case review will be necessary.
In this respect, it is important to notice that according to the article 29 Working Party
“the processor (e.g. a supplier, agent or service provider) does not need to first assess the likelihood of risk arising from a breach before notifying the controller; it is the controller that must make this assessment on becoming aware of the breach. The processor just needs to establish whether a breach has occurred and then notify the controller“.
This means that suppliers shall notify to controllers any type of data breach that took place, without running a prior assessment which will be performed by the controller together with the processor.
Are you able to avoid the notification of a data breach?
The notification/communication of a data breach is not always required. Indeed, the GDPR provides that
- The notification to the data protection authority is required, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons; while
- The communication to affected individuals is not required when
- appropriate technical and organisational protection measures have been implemented and applied to the personal data affected by the data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to materialise; and
- it would involve disproportionate effort (e.g. there are millions of costumers to be notified). In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
The above means that the notification of a data breach itself might show the lack of adequate security measures by the company. On the contrary, the implementation of adequate technical and organisational safeguards validated by the data protection authority or a certification entity by means of a privacy impact assessment or a certification would considerably limit the risks also in case of occurrence of a data breach. In this respect, the implementation of an internal cyber risk policy as well as the adoption of a cyber risk insurance policy would represent a considerable protection.
And for instance the Article 29 Working Party clarifies that a notification might not be necessary if it is breached the confidentiality of enrypted data, but the decryption key is preserved. However, if the back up of the affected data is takes too long an availability breach might have taken place. Furthermore, the adequacy of the level of encryption shall be continously assessed since it might be sufficient at the time of the collection of personal data, but might end up to be inadequate later on.
What fines for the lack of data breach notification?
The above is relevant also because the lack of compliance with data breach notification obligations triggers under the GDPR a fine up to € 10 million or 2% of the total worldwide annual turnover of an undertaking, whichever is higher. Also, according to the article 29 Working Party this fine might be coupled with a second fine if the lack of notification of a data breach is deemed per se a lack of adequate security measures. This is at least arguable since the more specific fine should prevail over the generic fine and, under the laws of many EU Member States, it is not possible to have two fines for the same breach.
This is just a snapshot of what has to be done in case of data breaches. You can review the other posts of this series below
If you found this article interesting, please share it on your favourite social media!
WRITTEN BY GIULIO CORAGGIO
IT, gaming, privacy and commercial lawyer at the leading law firm DLA Piper. You can contact me via email at firstname.lastname@example.org or email@example.com or via phone at +39 334 688 1147.