The concept of personal data breaches was not introduced by the GDPR, but the GDPR contains a number of provisions relating to personal data breaches that data controllers (and processors) must also be aware of.
What is a personal data breach?
The concept of personal data breaches is closely linked to the principle of the integrity and confidentiality of personal data (Article 5 (1) (f) of the GDPR): "personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Personal data breaches are essentially breaches of the integrity and confidentiality of personal data.
According to the definition in the GDPR, a „personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Therefore, a wide variety of personal data breaches may occur, such as losing a laptop that contains personal data, attacking an IT system, or even sending a letter or an email to a false address.
The Article 29 Working Party (WP29), in its Opinion issued in 2014 (Opinion No. 03/2014), also presents a number of practical examples of what is considered to be a personal data breach and the consequences it may have. (NB, the opinion was issued with regard to the Directive on privacy and electronic communications, i.e. Directive 2002/58/EC; however, it provides useful assistance in connection with the preparation for the GDPR as well.)
The Preamble to the GDPR (Point 85) states that "a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as
- loss of control over their personal data or limitation of their rights,
- identity theft or fraud,
- financial loss,
- unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or
- social disadvantage to the natural person concerned.”
Personal data breaches can therefore have serious consequences for those affected, so in cases when personal data breaches could not have been avoided, it is important that measures are taken within a very short time to overcome the consequences of the incidents.
What should you do if a personal data breach occurs?
The data controller has several tasks when a personal data breach occurs:
- the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority;
- when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.;
- the controller shall document any personal data breaches.
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
When does the personal data breach not need to be reported to the authority and when do the persons concerned not have to be notified directly?
If the data controller can demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification may be omitted. (For example, if a mail sent by a controller to a wrong address is returned without being opened, meaning that no personal data has been accessed by an unauthorized person.)
The controller is not required to inform the data subject regarding the personal data breach if:
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach (in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption);
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
- it would involve disproportionate effort. (In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. E.g. in the form of a press release.)
The competent authority may order the controller to communicate a personal data breach to the data subject (please see Article 58 (2) (e) of the GDPR).
How can controllers prepare for handling personal data breaches?
Given that personal data breaches can occur at any data controller and in such cases data controllers need to react quickly, it is important for controllers to be prepared in this respect as well.
It is usually advisable to take the following steps:
- to make an overview of data security measures (also with regards to the principle of data protection by design);
- if the data controller performs a data protection impact assessment, the management of personal data breaches should also be addressed;
- Internal rules should be prepared to regulate how to deal with personal data breaches, including the steps to be taken and defining the responsibilities in connection with personal data breaches (this may include actions in connection with the reporting obligation towards the authority and actions regarding the information obligation towards data subjects);
- to make an overview of contracts with processors in order to ensure that the controller is informed immediately about the personal data breach if the breach takes place at the processor; and
- the internal registers of incidents must be established.
How does the Hungarian DPA prepare to perform its duties in relation to personal data breaches?
Based on available preliminary information, a separate department within the Hungarian DPA’s organization will deal with receiving and managing the personal data breach notifications. It is also expected that an online interface will be available on which the notifications can be sent to the authority (the interface is scheduled to be available in January 2018). It is expected that the DPA will also assist with preparatory work by providing information materials. (The full interview with Dr. Krisztián Osztopáni, expert of the Hungarian DPA on personal data breaches, is available here in Hungarian.) It is worthwhile studying the relevant guidelines of the Dutch Data Protection Authority, since the reporting system for personal data breaches has been operating in the Netherlands since January 2016 and probably the Hungarian DPA will also use the Dutch experience.