Data Breach Notification and the New EU Data Protection Regulation

 

DPA20The new EU General Data Protection Regulation contains an obligation on Data Controllers to notify supervisory authorities of personal data breaches. In some cases this extends to the Data Subjects as well.

Article 4 of the Regulation defines a personal data breach:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Under the Data Protection Act 1998 (DPA) there is currently no legal obligation to report such breaches to anyone. However the Information Commissioner’s Office (ICO) guidance recommends that serious breaches should be brought to its attention. Last year telecoms company Talk Talk was the subject of a cyber attack in which almost 157,000 customers’ personal details were hacked. The company was criticised for its slow response especially the time it took to inform the ICO and customers.

Article 31 of the Regulation states that as the Data Controller becomes aware that a personal data breach has occurred it should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority (in the UK the ICO). There is no need to do this where the controller is able to demonstrate that the breach is unlikely to result in a risk for the rights and freedoms of individuals. For example a very minor data breach involving innocuous information about a few individuals. Where the 72 hour deadline cannot be achieved, an explanation of the reasons for the delay should accompany the notification.

Notification Contents

The notification must contain the following minimum information:

  • a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects data records concerned;
  • the name and contact details of the Data Controller’s Data Protection Officer (now a statutory position) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects.

Where it is not possible to provide the above information at the same time, the information may be provided in phases without undue further delay.

The new Regulation will require all personal data breaches, no matter how insignificant, to be documented by Data Controllers. This should include the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with Article 31. Some, if not all of it, will also be accessible via Freedom of Information requests, as many local authorities have already found.

Individuals’ Rights

Article 32 of the new Regulation states that Data Subjects should be notified without undue delay if the personal data breach is likely to result in a high risk to their rights and freedoms (e.g. fraud or identity theft), in order to allow them to take the necessary precautions. The notification will be similar to the one to the supervisory authority (discussed above) and should describe, in clear and plain language, the nature of the personal data breach as well as recommendations for the individuals concerned to mitigate potential adverse effects.

Notifications to individuals should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the need to mitigate an immediate risk of damage would call for a prompt notification whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.

There is no need to communicate a personal data breach to individuals if:

(a) the Data Controller has implemented appropriate technical and organisational protection 
measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or

(b) the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or

(c) it would involve disproportionate effort. In such case, there will instead have to be a public communication (e.g. press release) or similar measure whereby the Data Subjects are informed in an equally effective manner.

Even where a Data Controller has chosen not to information Data Subjects, the supervisory authority can instruct it to do so. No doubt there will be more detailed rules setting out what kinds of breaches require notification and to whom.

Compensation

Article 77 states that:

“Any person who has suffered material or immaterial damage as a result of an infringement of the Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

This together with the new breach notification provisions (discussed above) will no doubt see an increase in Data Subjects taking legal action against Data Controllers as a result of data breaches. There may even be more class actions like the one against the London Borough of Islington in 2013 when 14 individuals settled for £43,000 in compensation after their personal data was disclosed without their authority. This action followed an ICO investigation which resulted in the council being fined £70,000.

Currently the ICO can issue fines (Monetary Penalty Notice’s) of up to £500,000 for serious breaches of the DPA. When the Regulation comes into force, this will be increased to 4% of global annual turnover for the preceding year (for businesses) or 20 million Euros.

The Regulation will have a big impact on all sectors. Whilst it is unlikely to come into force until the middle of 2018, all Data Controllers should be examining their approach to data breaches now and be putting into place processes to comply with the new rules.

Act Now Training can help. Please see our one-day EU DP Regulation workshops and our 1 hour webinars. We can also conduct DP audits and assessments.

New EU Data Protection Regulation. Are you ready for the biggest change to data protection in 20 years?

eu

The text of the new EU Data Protection Regulation has now been finalised.

But we’re not quite at the finish line yet. You can even choose whether you think the finish line is when the Regulation gets its rubber-stamped approval (which is imminent), or when it is finally implemented (which is probably two years away).

Nevertheless, the notorious Trilogue negotiations are over. The EU Council and Parliament have agreed a compromise text. Years of uncertainty about whether there would be a new EU law, and what it would look like, are over.

What should you make of it? First, we did mean ‘texts’, as the Regulation (a new Data Protection law applying equally across all EU member states) is accompanied by a Directive (new rules for Data Protection when applied to crime and justice, implemented by each state with greater flexibility). Second, many of the headline-grabbers survive intact – many organisations will require a Data Protection Officer, mandatory breach reporting is coming, and the maximum monetary penalties are 4% of an organisation’s annual turnover, which represents something of a defeat for the EU Council, who aimed much lower.

Proposals to remove charges for subject access may make many organisations wince. Even at first glance, there are some surprises; most notably a requirement for parents to consent for their children to access some web services if under 16 – although this age can be lowered by national governments to 13. This proposal surfaced late in the negotiations, and its implications still need to be unpicked.

The Regulation is about identifying and dealing with risk, about building structures within your organisation, and taking a more organised, more proactive approach to Data Protection. The fundamentals remain largely unchanged; what the Regulation does is build a whole new set of structures and routines on top of those foundations.

The final texts will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will become applicable two years thereafter.

Now is the time to Act!

There is a lot to learn and a lot to do in the next few years. Firstly, all Data Protection Officers and information professionals need to read the Regulation and consider its impact on their organisation. Here are the key points of the Regulation to get you started.

Secondly training and awareness at all levels needs to start now. This is where Act Now can help. Whether you want a relevant DP qualification or a short briefing on the Regulation to kick-start your preparation.

For Data Protection Officers (new and old), who need to get a formal qualification, our Data Protection Practitioner Certificate is ideal. The course looks at the current law as well as the forthcoming changes set out in the Regulation particularly the issues of consent, privacy impact assessments and data subjects’ rights. The syllabus is endorsed by the Centre for Information Rights based at the University of Winchester.

We are also running a series of full day workshops throughout the UK which are filling up fast. More dates will be added soon. We can also offer full or half-day in-house briefings on the Regulation from the middle of January 2016.

Finally, for those whose budgets were depleted by the Christmas party or may just not have the time, we have planned a series of one hour webinars looking at various aspects of the Regulation in detail.

2015 in review

The WordPress.com stats helper monkeys prepared a 2015 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 37,000 times in 2015. If it were a concert at Sydney Opera House, it would take about 14 sold-out performances for that many people to see it.

Click here to see the complete report.

%d bloggers like this: