The Duty of Notification under the GDPR: Part I
The EU General Data Protection Regulation, Regulation 2016/679 (the “GDPR”), will be applicable from 25 May 2018.
The GDPR contains some of the most stringent data protection obligations and penalties in the world.
The GDPR will apply to any “natural or legal person”, within or outside the EU, which controls (“controller”) or processes (“processor”) any personal data of “data subjects” who are in the EU. Therefore, the GDPR will apply to any business, even a Non-EU corporate legal entity, which provides any kind of service to individuals who are in the EU.
Regardless of the so-called Great Repeal Bill, the UK legislation that will annul the European Communities Act 1972, the UK government confirmed in the Queen’s Speech in October 2016 that the GDPR will be implemented in May 2018.
In the Queen’s Speech on 21 June 2017, the government confirmed its intention to enact a new data protection law, which presumably will give effect to the GDPR after Brexit and replace the present Data Protection Act 1998.
Notification of a Data Breach to The Information Commissioner’s Office (“ICO”)
The Data Protection Act 1998 does not impose any duty on data controllers or processors to notify a data breach.
By contrast, the GDPR not only imposes a duty to notify a data breach, but also provides that any infringement, such as a failure to notify, may result in substantial fines of up to EU20m or up to 4% annual worldwide turnover, whichever is higher.
The GDPR imposes an obligation on the data controller to notify the national “supervising authority”, the ICO in the UK, according to the following criteria:
(i) in the case of a “personal data breach”, notification must be made “without undue delay and… not later than 72 hours after having become aware of it”;
(ii) unless the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”; and
(iii) where the notification to the ICO is not made within 72 hours, late notification must be accompanied by reasons for the delay.
Therefore, the main criterion for the duty of notification to the ICO to be triggered is whether a “personal data breach” is likely to result in a “risk to rights and freedoms of natural persons”.
“Personal Data Breach” is defined under the GDPR widely as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Therefore, an actual loss of or alteration to personal data is not necessary. Even a minor unauthorised access to personal data will suffice for a data breach to be characterised.
Notification of a Data Breach to the Data Subject
In addition to notification to the ICO, the GDPR provides under the heading “Communication of a personal data breach to the data subject” that notification of a personal data breach must also be made to the “data subject”:
“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons…without undue delay.”
Data Subject is defined as any identified or identifiable natural person.
However, notification to the data subject is not required, pursuant to the GDPR, “if any of the following conditions are met”:
(i) appropriate technical and organisational protection measures have been implemented which render the personal data unintelligible, such as encryption; or
(ii) subsequent measures have been implemented which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
(iii) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure.
Accordingly, there is a narrower duty of notification to individual data subject(s) only if the personal data breach is likely to result in a “high risk”, as opposed to a “risk”, to the rights and freedoms of the data subject(s). “High risk” is not defined.
In addition, this narrower duty will not be triggered if any of the above conditions are satisfied. Encryption of personal data is likely to be an effective measure to minimise any adverse consequences of a data breach.
However, it is not clear, for instance, what “subsequent measures” could be effectively adopted to prevent a “high risk” arising, after the breach of unencrypted personal data has occurred. This is only one example of lack of clarity which will potentially cause confusion to data controllers, without further guidance.
In relation to the Data Protection Act 1998, the ICO has issued some guidance regarding the voluntary “Notification of data security breaches” which provides that:
“‘Serious breaches’ are not defined. …However,…
… potential detriment to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the ICO. …”
It is not clear how such sparse and general statements regarding the voluntary notification of “serious breaches” under the Data Protection Act 1998, may be applied to the different concepts set out under the GDPR.
As a result, further guidance would be welcome from the ICO or the EU Article 29 Data Protection Working Party (WP29) in relation to the notification of data breaches, regarding: (i) the meaning of a “risk” and a “high risk” to the rights and freedoms of natural persons and (ii) the scope and interpretation of the duty of notification without “undue delay”. These issues will be discussed in more detail in Part II of this article.
If you have any queries about this article, or if you would like to discuss any of the issues raised in it, please contact Celso de Azevedo, whose details appear below.