The data breach III (Documentation of data breaches)
The GDPR defines the notion of data breach and contains rules on when it is mandatory for controllers to report a data breach to the competent supervisory authority and when they are obliged to communicate data breaches to the data subjects. Controllers are also required to document personal data breaches. In addition, processors are required to notify the controller without undue delay after becoming aware of a personal data breach.
The Article 29 Data Protection Working Party (WP29) issued guidelines on the personal data breach notification on 3 October 2017, which are being finalized, that interpret the respective provisions of the GDPR (Articles 33-34 and Recitals 75-76 and 85-88) and give some examples of possible data breaches.
Below, a Q&A will follow concerning the obligation to document data breaches. My blog contains two previous posts in which I have addressed in a Q&A format the issues concerning notifying the supervisory authorities of data breaches and the communication of data breaches to data subjects, respectively.
1. Who is required to document data breaches?
Pursuant to Article 33 (5) of the GDPR, controllers are required to document data breaches. Also, as per the GDPR, data controllers must have appropriate technical and organisational measures in place and must, therefore, be able to detect and assess vulnerabilities and security breaches. Thus, in addition to documenting data breaches, controllers are also required to implement appropriate procedures and measures to ensure that they are able to timely detect and address security issues.
For details as to the content of the document / register on data breaches, please see the response to question 2 below.
Apart from controllers, due to the principle of accountability, processors are advised to have a documentary proof of the fact that they have notified the controller of the data breach in a timely manner. This way the processors can demonstrate that they have complied with their obligation to notify the controller of the data breach without undue delay after becoming aware of a personal data breach, as required by Article 33 (2) of the GDPR. A prerequisite for the fulfillment of this obligation is that processors must have appropriate technical and organizational measures in place so that they are able to identify security breaches in a timely manner and tell if the security breach qualifies as a data breach. The data breach must then be reported to the controller. This means that processors necessarily have to (be able to) assess and actually carry out the specific assessment if the security breach qualifies as a data breach. The assessment should be documented.
When notifying the controller of the data breach, the processor is required to provide information on the facts relating to the data breach so that the controller is able to fulfill its obligations in connection with the data breach.
Processors are also advised to take into account the fact that a security breach may later turn out to be a data breach which is then reportable to the controller. If a processor is unable to decide if a security breach qualifies as a data breach or if the security breach may later turn out to be a data breach, it is advisable to notify the controller of the breach in time.
2. Do processors have any obligation in connection with data breaches?
Please see the response to question 1 above.
3. How should controllers document data breaches?
The controller is advised to prepare a registry of data breaches. For example, preparing an Excel sheet or word document for this purpose should suffice.
The document on data breaches must contain
a) the facts relating to the personal data breach, such as, for example, the date when the breach occurred and when it was discovered, a description of what happened (facts and circumstances), a description of individuals affected, what personal data have been affected, a description of the cause of the data breach;
b) the effects of the data breach, i.e. what are the (likely) risks / consequences of the data breach and
c) a description of the remedial action(s) taken, i.e. a list of the remedial measures taken, the reasons for taking the specific remedial action(s) and the effects of such actions.
If the controller did not notify the authority / the data subjects of the data breach, it is advisable that the registry of data breaches also contains the reasoning and justification for not making the notification.
It is also highly advisable to also document the procedure concerning how a security breach is addressed and how the potential risks such a breach may pose to the rights and freedoms of natural persons are assessed. This is to ensure that the controller is able to demonstrate compliance with the GDPR.
4. Are controllers / processors required to have a data breach policy?
The GDPR does not contain an explicit provision that requires controllers and processors to prepare such a policy. However, the GDPR requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In addition, under the principle of accountability, controllers and also processors must be able to demonstrate compliance with the rules of the GDPR. This basically means that every step the controller / processor takes has to be documented.
Taking the above into account, in order to comply with the requirements of the GDPR, it is certainly advisable for controllers and processors to have a data breach policy in place, including a breach response plan. In order to ensure data protection awareness among employees, they should be informed of such a policy and response plan and the fact that they have been informed about such a policy and response plan should be documented. Regular training sessions are recommended.
5. What does a breach policy typically contain?
A breach policy typically addresses the below issues:
a) the definition of security breach and data breach;
b) a description of the aim of the policy (prevention of breaches as well as properly addressing them);
c) a description of the implemented technical and organisational measures;
d) a description of the internal reporting procedure (how to report the breach internally);
e) a description of the internal investigation of the breach (methodology applied, risk assessment procedure);
f) a description of a response plan, remedial actions;
g) issues concerning the notification of data breaches to supervisory authorities;
h) issues concerning the communication of data breaches to data subjects;
i) a description of the register of data breaches;
j) a flowchart on clauses g), h) and i) above;
k) a description of the post-monitoring of data breaches and experiences learned from the breach.
The above is only a non-exhaustive list of the issues a breach policy typically contains.
6. What does a data protection officer (DPO) have to do with data breaches?
If the controller / processor has a DPO, the DPO has an important role to play in connection with data breaches. Namely, the DPO cooperates with the supervisory authority and acts as a contact point for the supervisory authority and the data subjects. Furthermore, it is possible to include a specific provision in the agreement with the DPO pursuant to which the DPO is required to assist the controller / processor when it comes to identifying and assessing a breach, preparing the actual risk assessment and making the notification to the supervisory authorities and the data subjects. For further details on the DPO, please click here.
In my next post, I will address issues concerning data protection impact assessments (DPIA).
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.