Under the EU GDPR, controller organisations are obliged to disclose certain personal data breaches to data protection authorities and affected individuals. A personal data breach is defined under the Regulation as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
Controller organisations must notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is likely to be a high risk to the rights and freedoms of the data subject then the data subjects must be informed directly without undue delay.
The EDPB’s new guidelines, which contain examples of personal data breach notification under the EU GDPR, make several references to the responsibilities of processors, and not just controllers, in relation to managing a personal data breach.
According to the guidance, processors as well as controllers should have plans and procedures in place for handling data breaches. This represents an expansion of the preparations that processors should put in place to meet the data protection regime.
While processors have their own security obligations under Article 32 of the EU GDPR, they do not have obligations to notify personal data breaches to the national data protection authority, or to individuals – this is the preserve of the controller. However, the processor must notify the controller of a personal data breach without undue delay, and the legislation requires the processor to be put under a contractual obligation to assist the controller with its reporting obligations, which are governed by Articles 33 and 34 of the EU GDPR.
In its guidance, the EDPB also addressed considerations controllers should have when deciding whether and when to report data breaches to data subjects. It cited a recital to the EU GDPR itself, appearing to confirm that the timeline for notifying data subjects is contingent on the nature of the risk posed to the individuals in question.
A further clarification also highlighted the EDPB’s view that notifying affected data subjects on a collective basis, such as through a posting on the company website, rather than on an individual basis may not be appropriate even where there are no details for the relevant data subject, if such a notification strategy may increase risk to the data subject.
Other amendments made to an earlier version of the guidance indicate an increase in the EDPB’s expectations in terms of security measures that organisations need to put in place to address the risk of data breaches. These include increased focus on the importance of backups, including the need for those to be multiple, regular and isolated, and specific mention of multi-factor authentication as a baseline security measure.
Co-written by Rebecca Townsend of Pinsent Masons.