WP29 Publishes New Guidelines on Personal Data Breach Notification Under the GDPR

The GDPR expands the range of obligations that controllers must comply with when processing personal data. Amongst those is the obligation to notify personal data breaches to supervisory authorities and individuals, depending on the likelihood and severity of risks (Articles 33 and 34).

The WP29 released this week its proposed guidelines on this new personal data breach notification. These guidelines are designed to help organisations better understand when a notification is required and what processes they need to have in place to adequately detect and address a breach. Some of the main elements of the WP29 guidelines include the following:

  • Clarification of the types of personal data breach. The WP29 clarifies that a breach could concern either the confidentiality, integrity, or availability of the personal data, or a combination of these, and insists that controllers must consider all possible consequences of a breach in their investigation. For instance, a loss of data that was properly encrypted would be unintelligible for third parties and therefore would not be a confidentiality breach, but could still consist in an availability breach if the organisation did not have any backup of the lost data.
  • Guidance on when a controller is considered “aware” of a breach and the timing for notification. The WP29 recognises that a controller may undertake an initial investigation during a short period of time after being informed of a potential breach to evaluate whether or not a breach actually occurred. It, however, indicates that the controller will be considered “aware” of a breach (which initiates the 72 hours timeframe to notify the supervisory authority) as soon as it has a reasonable degree of certainty that a security incident has occurred and that personal data are compromised (to be assessed on a case-by-case basis). Organisations should therefore put in place robust internal processes, such as detailed incident response plans or governance arrangements to be able to properly detect and address a breach, and ensure that the right information reaches the appropriate levels of management without delay.
  • Clarification of the role of processors. Interestingly, the guidelines state that the controller should be considered “aware” of a breach as soon as the processor itself becomes aware of it. This will likely be a source of heavy discussions between controllers and processors since, while the controller has a 72 hours time limit to notify a breach, the GDPR does not impose any strict time limit on the processor to notify the controller (the GDPR states it must do so “without undue delay” after becoming aware). While the WP29 recommends that processor notify the controller immediately (and follows later with additional information), controllers should make sure this matter is properly covered in their data processing agreements.
  • Description of factors to consider when assessing risks. The WP29 provides a list of factors to consider when assessing the likelihood and severity of a risk (and therefore the need to notify the supervisory authority and/or the individuals), which includes the type of breach, nature, sensitivity, and volume of personal data, ease of identification of individuals, severity of consequences for individuals, special characteristics of the individuals, number of individuals concerned, as well as the special characteristics of the controller itself. The guidelines also contain an annex detailing non-exhaustive examples of breach designed to help organisations identify risks and whether notifications are required.
  • Guidance on how to document breach. The WP29 also highlights the importance of documenting every data breach as part of the new accountability obligation, this regardless of whether or not a notification is required (including, for example, documenting the reasons why the controller decided that a notification was not required). Organisations should establish an internal register of breaches and have documented notification procedures in place to be able to demonstrate overall compliance with Article 33 and 34 of the GDPR, including detection and handling of data breach.

The proposed guidelines are open for consultation until 28 November 2017.

OneTrust will publish later this week a white paper further detailing the content of these proposed guidelines and what they mean, in practice, for organisations.

How OneTrust Helps

OneTrust provides Data Incident and Breach Notification Management tools to assist organisation with meeting their obligations under Articles 33 and 34 of the General Data Protection Regulation (GDPR). This allows organisations to maintain incident and breach records, evaluate against notification requirements, and analyse overall risks with connections to the underlying data inventory.