Breach & Notification

Breach & Notification


The video below is from Jim Steven at Experian in regards to data breaches

According to the regulation a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

It’s important to note that the wilful destruction or alteration of data is as much a breach as theft.

In the event of a personal data breach data controllers must notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.

Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals,”  How this translates into real-world action is not clear – something the legal profession will debate I’m sure.

Importantly when a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation.

Should the controller determine that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals,” it must also communicate information regarding the personal data breach to the affected data subjects. Under Article 32, this must be done “without undue delay.” – Again we will have to wait to see how this applies to real-world situations.

The GDPR provides exceptions to this additional requirement to notify data subjects in the following circumstances:

  1. The controller has “implemented appropriate technical and organisational protection measures” that “render the data unintelligible to any person who is not authorised to access it, such as encryption”
  2. The controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialise.
  3. When notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.