The Duty of Notification under the GDPR – Part II
As discussed in the Part I of this article, there is little guidance in the GDPR to assist data controllers and processors to determine (i) whether notification should be made due to a “risk” or a “high risk” to the rights and freedoms of data subjects and (ii) “undue delay” of notification.
“Risk” and “High Risk”
Notification must always be made to the ICO if the personal data breach is likely to result in a “risk to the rights and freedoms of natural persons”.
By contrast, there is a narrower duty of notification to individual data subject(s) which is only triggered if the personal data breach is likely to result in a “high risk” to the rights and freedoms of the data subject(s).
However, there is no definition or specific criteria or guidelines to be applied in order to determine a “risk to the rights and freedoms of natural persons” nor for how to differentiate between “risk” and “high risk”.
Notification of a personal data breach should be made without “undue delay” by the data controller or processor.
There is no definition of “undue delay”.
Notification to the ICO by controllers must be made not later than 72 hours after having become aware of it. Late notification may still be made after 72 hours, but reasons for the delay must be provided to the ICO.
However, it is unclear what reasons will be sufficient to prevent notification after the 72 hours being deemed as “undue delay”, which may be an infringement of the GDPR subject to penalties.
The General Guidelines for Imposition of Fines
Despite no definition or specific criteria in the GDPR for what constitutes “high risk” and “undue delay”, the GDPR sets out broad conditions to be considered by the ICO for the imposition of fines due to any infringement of the GDPR.
These conditions are set out in the GDPR under the heading “General conditions for imposing administrative fines”, as follows:
“(a) the nature, gravity and duration of infringement taking into account the nature … of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them…;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority…;
(g) the categories of personal data affected by the infringement;
(h) … whether… the controller or processor notified the infringement;
(i) where measures … have previously been ordered against the controller or processor …, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.”
Due to the broad nature of these conditions, it is unclear how they will be implemented by the ICO in relation to (i) specific failures to notify or (ii) “undue delay”.
For instance, these general conditions do not indicate to what extent mitigating measures to stop an attack may be a complete or a partial defence to a failure to notify without “undue delay”.
Similarly, it is not clear to what extent the ICO will take into consideration lower security measures adopted by smaller data controllers, which may be permitted but may also prevent a data breach being detected or speedy notification being made to the ICO.
These issues of policy implementation of the GDPR should be clarified by the ICO.
The new Guidelines on Data Protection Impact Assessment (“GDPIA”)
On 4 April 2017, the EU Article 29 Data Protection Working Party (“Art. 29 WP”) issued a new GDPIA. The GDPIA provide some guidance for determining whether “data processing” is “likely to result in a high risk” to the rights and freedoms of data subjects so that a Data Protection Impact Assessment (“DPIA”) must be carried out.
In the GDPIA, there is still no definition of “high risk”.
However, the GDPIA provide some welcome specific “examples of processing” together with “possible relevant criteria” in order that an informed decision regarding the requirement of a DPIA may be made.
Accordingly, it would be helpful if similar guidelines were also issued to assist data controllers and processors in relation to the meaning, under the GDPR, of (i) “risk” or a “high risk” to the rights and freedoms of data subjects as regards the duty of notification; (ii) “undue delay” of notification.
Despite the above unresolved issues, neither the ICO nor the EU Art 29 WP have confirmed whether they will issue further guidance documents in relation to data breach notification before the GDPR comes into effect in May 2018.
If these issues are not clarified by way of detailed guidance documents, a culture of over-notification by data controllers to the ICO in order to avoid any risk of penalties is likely to become the norm.
This over-notification culture may overwhelm the national supervisory authorities and weaken the effective implementation of the GDPR by EU regulators.
The lack of guidance from the regulators will increase the defence costs incurred by data controllers and processors for dealing with regulatory investigations. As a consequence, this may increase insurance premiums for Cyber Insurance and other relevant policies.
It may also result in different criteria being applied by EU national supervisory authorities leading to conflicting decisions. This may cause enduring cross-national regulatory discrepancies, due to the lengthy harmonisation appeal process before the European Court of Justice, to which the UK may or not continue to be subject post-Brexit.
Once over-notification to the ICO and data subjects becomes the normal compliance and regulatory culture, regulators may in response fail to identify serious breaches amongst an unmanageably high number of notifications. This effect will be the opposite of the one intended by the GDPR.
If you have any queries about this article, or if you would like to discuss any of the issues raised in it, please contact Celso de Azevedo, whose details appear below.