The GDPR’s Data Breach Notification Rules in Plain English

Published On January 15, 2020

For records managers and data privacy professionals who are struggling to understand what’s expected of them under the General Data Protection Regulation (GDPR) that went into effect in the European Union (EU) in 2018, the organization charged with enforcing the regulation in Ireland has a quick study guide to GDPR’s data breach notification rules that can help.

A 19-page summary published late last year by Ireland’s Data Protection Commission (DPC) provides a plain-English account of what organizations need to do in the event of a breach. The topic is of more than academic interest: In the nine months after GDPR was implemented in May 2018, more than 64,000 data breach reports were filed, according to the European Data Protection Board. While fines have been modest so far, many observers expect the EU to step up enforcement now that an informal 18-month grace period has passed.

In a nutshell, the DPC advises controllers — the people responsible for protecting and managing citizens’ personal information — to ensure that personal data is clean, well documented and protected by strict access policies and encryption.

GDPR data breach notification rules require them to keep a record of every data breach, even if no privacy rights were violated. They must also be prepared to specify the incident date, number of records covered, likely consequences and measures the organization has taken to prevent a recurrence — all within 72 hours.

Breached organizations are required to notify affected consumers “without undue delay” what happened, what the likely impact is on them and what they should do to mitigate its effects. The phrase “without undue delay” shows up frequently in the GDPR guidelines without a clear definition. The EU’s subsequent clarification that the term means “as soon as possible” is only a modest improvement.

The Clock Is Ticking

The GDPR data breach notification guidelines make it clear, however, that the 72-hour reporting requirement is to be taken seriously. When the deadline can’t be met, a breached organization must explain the reasons for the delay. Even if there’s no evidence that personal data was compromised, it must still keep a record of the incident.

Notifications to regulators must include, at the minimum, the nature and scope of the breach, the likely consequences and measures that were taken to mitigate its effect. That may be a tall order in some cases, particularly in the confusing early hours following a breach discovery. In those cases, partial notification is better than no notification at all. It’s okay to fill in the gaps later, the guidelines say, but regulators will want an explanation of why the 72-hour deadline wasn’t met.

The guidelines devote special attention to the topic of risk, noting that some reports the Irish agency have received underestimated the potential impact on the “rights and freedoms of affected data subjects.” Among the factors controllers need to take into account are whether or not compromised data could be used maliciously, if it was encrypted, the ease with which personal information can be traced back to individuals, the likelihood of consequences like identity theft, and the risks of nonmaterial damage such as reputational harm.

Ignorance of the GDPR data breach notification rules is no defense — controllers must report all disclosures of personal data unless they can demonstrate there is no risk to the people affected. The only excuse for not reporting a breach is a documented risk assessment that determines no potential harm was found. Even then, that assessment is subject to review and penalties if the risk was underrated.

Learn or Buy Needed Skills

Lack of technical skills isn’t a defense either. Controllers are required to possess enough knowledge to determine that they’ve been a victim of a security incident, the measures that need to be taken to mitigate the damage and appropriate safeguards to be used in the future. The rules even apply to social engineering techniques like phishing. The authors acknowledge that small and midsize companies are disproportionately challenged by these requirements, but that doesn’t excuse them from complying.

Not all breaches are the result of cyberattacks or are even necessarily digital. Regulators note that there have been incidents of personal information being disclosed due to poor data accuracy practices, such as customer records being sent to the wrong postal mail address. “In certain sectors personal data breaches of this nature account for the vast majority of breaches notified to the DPC,” they report.

Data privacy professionals should consult the official GDPR regulation for the precise terms of compliance, but Ireland’s DPC has done them a favor by translating the legal details into actionable plans anyone can understand.