The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation.
In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.
What does “personal data breach” mean?
The GDPR defines personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. There are many types of personal data breaches, which may include theft or accidental erasure of data from a database, as well as malware attacks which block access to IT systems or blackouts which make data temporarily unavailable.
In brief, we can say that a personal data breach is a specific type of security incident in cases when personal data are involved. While all personal data breaches are security incidents, not all security incidents can necessarily be described as data breaches.
What action must the controller take in cases of personal data breach?
Articles 33 and 34 of the GDPR regulate the procedures the controller must activate in cases of personal data breach, which are to notify the supervisory authority of the breach (in Italy the Garante per la protezione dei dati personali) and to communicate the breach to the data subject.
Both procedures aim at informing the authority or the data subject that a breach has occurred in order to allow them to take all necessary protection measures.
What action must the processor take in cases of personal data breach?
Although obligations of notification and communication must be fulfilled by the data controller, art. 33 establishes that, once aware of the breach the data processor must inform the data controller without undue delay.
After a violation has taken place and in order for any intervention to be carried out as effectively and promptly as possible, also when taking into consideration the dimension of the contexts in which the data is being processed and the number of people who may be involved, it would be useful for the data controller to arrange an incident response plan. This plan should set out the different steps and organisational procedures which need to be adopted to deal with possible violations and the structure or response team to whom the event will be referred.
When must notification to the supervisory authority be carried out?
Art. 33 of the GDPR provides that the data controller must notify a personal data breach without undue delay to the supervisory authority and where feasible within 72 hours. When notification is not made within 72 hours it must be accompanied by the reason for the delay.
It is not necessary to send notification when the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Therefore, the data controller is responsible for analysing the potential risks caused to data subjects by data breaches and for assessing whether the risks are sufficiently high as to warrant triggering the obligation to notify the supervisory authority. It should be noted that the presence of a “simple” risk is enough to oblige the data controller to notify the authority.
When must communication be given to the data subject?
Art. 34 of the GDPR provides that when the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay.
Differently from notification given to the supervisory authority, communication to the data subject must only be given when the breach presents “high risk”. In any case, it is the duty of the data controller to evaluate the level of risk.
The article continues by listing the following circumstances under which, despite the potential high risks, communication to the data subject is not required if: (a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach (e.g. encryption); (b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; (c) it would involve disproportionate effort (in such a case, there shall instead be a public communication or similar measure (whereby the data subjects are informed in an equally effective manner).
In what form should the communication be made?
To comply with the obligation of communication provided for by the GDPR it is not sufficient only to inform the data subject. Essentially, the appropriateness of a communication depends not only on its contents, but also on the manner in which it is formulated. In order to fulfil their informative function, communications must be written in plain and easily understandable language. Direct communications to the data subjects are preferable (e.g. e-mail, SMS or direct messages). The information should be communicated in a clear and transparent manner, thus avoiding conveying the message in excessively general and misleading formats (such as generic updates or newsletters).
How should the assessment of the risk resulting from a data breach be carried out?
The assessment of the risks resulting from a data breach is a fundamental step because it allows the data controller not only to identify adequate measures to contain or eliminate the breach, but also to weigh up the necessity to activate the notification and communication procedures (which are triggered only above certain risk thresholds).
The assessment is similar to that which the data controller needs to carry out in relation to the Data Protection Impact Assessment, but unlike the latter it must be more personalised, with regard to the concrete circumstances of the breach.
Among the factors the data controller needs to take into consideration in his/her assessment, can be mentioned: the type of breach (confidentiality, accessibility or integrity breach?) the nature of the data involved (e.g. health data, ID documents or credit card numbers); how easy it would be to identify the data subjects (this varies according to the type of data, identification or non-identification data, and the methods used for their storage, e.g. pseudonymisation techniques or cryptography); the seriousness of the consequences on individuals (this differs depending on whether the data were mistakenly sent to a trusted party or were stolen by an unknown third party); any particular characteristics and the number of individuals involved (e.g. whether vulnerable data subjects such as children or elderly people, for example, are involved; whether it was a collective or individual breach) and the particular characteristics of the data controller (e.g. based on the activity processing environment).