Awareness, occurs when the data controller has a ‘reasonable degree of certainty’ that the breach has occurred. Undoubtedly, there will be some instances when it is unclear whether or not a breach has occurred. To provide for these situations, organisations will have a ‘short period’ of time to carry out an investigation after first being informed about a potential breach.
During that initial investigation, they will not be considered to be ‘aware.’ Unhelpfully, ‘short period’ is not defined in the Guidelines, but it is suggested this should be ‘no longer than is necessary’ to establish ‘with a reasonable degree of certainty’ whether or not a breach has occurred.
For example, it has been widely reported that Deloitte discovered that hackers had had access to its systems since November 2016. Under the GDPR regime, if Deloitte had not had any reason to believe that its systems had been hacked back in November 2016, it would not have been considered as having been ‘aware’. Thereafter, after first realising that the hack might have occurred, Deloitte would have been allowed a short period of time to investigate before becoming obliged to notify.
Not only does this give organisations a reprieve, but it also prevents unnecessary notifications being made. If, after the short initial investigation, you establish that there is a ‘reasonable degree of likelihood’ that a breach has occurred, the clock will start ticking from the moment of that discovery.
As part of your response plan, you should therefore start thinking about who will conduct these investigations, and how these will be conducted.