Data Breach Notification Obligations under GDPR

The soon to be introduced General Data Protection Regulation (GDPR) places greater emphasis on the security of personal data than the previous Directive. This means that businesses and organisations need to pay attention to the way in which they secure the personal data they process and the way they notify relevant parties about data breaches.

Although GDPR does not stipulate any specific data security measures that need to be taken in order to comply, it does state that businesses and organisations must take any organisational and technical measures necessary in order to protect the personal data they process, as per Article 32. It also suggests some measures that may be appropriate, such as the encryption of data and ensuring the ability to restore data following an incident.

Every business or organisation must take measures to secure the personal data that it processes; this is especially the case when the data is considered to be high risk. High risk data can include information about health, religion and sexual orientation. Businesses and organisations must also keep records of the processes and procedures they put in place. If they cannot produce this documentation, they are at risk of being found to be non-compliant.

Reporting a Data Breach

According to GDPR rules, data breaches must be reported to the relevant supervisory authority within 72 hours, wherever possible. If it is not possible to make a full report within 72 hours, the supervisory authority should be notified and full details should follow without undue delay, together with a justifiable reason for the late reporting. These notifications are not necessary if the breach is not likely to present a risk to the rights and freedoms of individuals. Failure to comply with these rules could result in a business or organisation facing a fine for non-compliance. These fines are decided by the relevant Data Protection Authority (DPA), based on guidance from the Article 29 Working Party. The maximum fine possible is €20m or 4% of annual turnover, whichever amount is higher.

If there is a high risk to the rights and freedoms of data subjects, the individuals concerned must also be notified of the breach, without undue delay. There are three exceptions to this, when the data which has been breached has been made unintelligible by the use of methods such as encryption, when the data controller has acted to alleviate the high risk and where sending individual communications would involve disproportionate effort and a different form of communication is more appropriate. This communication could include a message on the website of the business or organisation, or a press release.

The aim of including these rules in GDPR is to ensure that the personal data of people living within the EU is processed securely, no matter which country they live in. This applies whether or not the business or organisation that is processing the data is based within the EU. Securing personal data in this way ensures that the rights and freedoms of people across the EU are protected in a uniform manner.