The General Data Protection Regulation (the GDPR) has introduced the requirement for a personal data breach to be notified to the competent national supervisory authority and in certain cases, to be communicated to the individuals whose personal data have been affected by the breach.
- Data breach, sources and cases
« Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed » (article 4 GDPR).
- “destruction” : the data no longer exists, or no longer exists in a form that is of any use to the controller.
- “loss” : the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession.
- “alteration” : the personal data has been damaged, corrupted, or is no longer complete.
- “unauthorised disclosure or access” : disclosure of personal data to (or access by) recipients who are not authorised to receive (or access) the data.
a) Sources
There are comonly three sources :
- Human sources with malicious intent
It can be internal: malicious manager, employee, intern, maintenance staff… To defraud, revenge, personal gain, greed…
It can be external: activist, terrorism, hacker, competitor, journalist, Union, client… To assert an ideology, spy, desire to crack the system…
- Human sources without malice
Internal: manager, employee, intern, maintenance staff… Because of clumsiness ou unconsciousness, lack of information on GDPR…
External: staff’s entourage, external provider, clumsy visitor, road traffic, air traffic by making waves, explosion etc.
- Non human sources
Computer virus, climatic event, force majeure, leaks of water, hazardous materials….
b) Examples
Examples of malicious attacks :
- You discover deletion of documents : after a quick investigation, it seems that a former subcontractor employee used an administrator account to delete documents ;
- You are victim of a cyber attack and all your data are encrypted : this is a ransomware and the hacker threatens to publish the victim’s data or perpetually block access to it unless a ramsom is paid ;
Examples of human mistakes :
- You loose your bag/attaché-case filled with clients’ files, in the train ;
- Your webmaster forgot to implement a functionality and anyone can access some confidential information of other users ;
- You send an email to the wrong person ;
- The only copy of a set of personal data has been encrypted by the controller using a key that is no longer in its possession ;
- You delete data accidentally and the controller cannot restore access to the data.
If the breach concerns anonymous data or files without personal data, this is not a breach.
2. Notifications
A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy.
a) Notification to the supervisory authority
Article 33 provides that in a case of personal data breach, the controller shall notify it to the supervisory authority, not later than 72 hours after having become aware of it.
Processor has also an obligation to notify the controller without undue delay after becoming aware of a personal data breach.
This notification shall at least :
- Describe the nature of the breach including where possible, the categories and approximate number of data subjects concerned and the approximate number of personal data concerned;
- Communicate the name and contact details of the DPO;
- Describe the likely consequences of the breach;
- Describe the measures taken or proposed to be taken par the controller to adress the breach and to mitigate, if it is possible, adverse effects.
By a way of exception, there is no obligation to notify the breach, if it is unlikely to result in a risk to the rights and freedoms of natural persons.
b) Notification to data subjects
Article 34 states that when the personal data breach is likely to result a high risk to the rights and freedom of data subject, the controller shall communicate the personal data breach without undue delay to the person.
This communication shall :
- Describe in clear and plain language the nature of the breach;
- Communicate the name and contact details of the DPO;
- Describe the likely consequences of the breach;
- Describe the measures taken or proposed to be taken par the controller to adress the breach and to mitigate, if it is possible, adverse effects.
This communication is not required if :
- the controller had implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular encryption. It means that personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. For example, personal data are protected by a state-of-the-art encryption or by tokenisation.
- The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subject is no longer likely to materialize. For example, the controller may have immediately identified and taken action against the individual who has accessed personal data before they were able to do anything with it.
- It would involve disproportionate effort. For example, their contact details have been lost as a result of the breach or are not known in the first place. Or, there is a flood in the office and the documents containing personal data were stored only in paper form.
Controllers and Processors need to have a special process to notify breaches to the supervisory authority. They have also to delimit the roles and responsabilities of key protagonists in the notification.
We are at your disposal to help you in this matter.
Charlotte GALICHET