The General Data Protection Regulation ("GDPR" or "Regulation"), adopted on April 27, 2016, introduces a new regime for the protection of personal data in the European Union ("EU"). The Regulation will replace the current data protection directive, Directive 95/46/EC ("Directive"). The GDPR will apply in all EU member states from May 25, 2018.
The New Requirements
The GDPR retains the same core rules as the Directive and does not constitute a complete departure from it. However, some changes have been introduced that organizations across all sectors, including those currently not subject to the Directive, should consider. One of the most significant changes brought in by the GDPR relates to its territorial application. While the Directive applied to organizations established in the EU or using "means of processing" located in the EU (e.g., equipment or processors), under the GDPR the application of EU data protection law will become much broader. The GDPR will apply not only to controllers but also to processors established in the EU as well as to those not based in the EU but processing data related to individuals in the EU. In particular, organizations based outside the EU will have to comply with the GDPR when they (a) offer products or services to individuals in the EU or (b) monitor people in the EU. With the GDPR applicable outside the borders of the EU, any organization processing personal data could potentially fall under its application. Processors will be subject to direct compliance obligations.
Among the new requirements, there is a general obligation for organizations to report certain types of personal data breaches to the competent supervisory authority and, in some cases, to the affected individuals.
Data breaches constitute real and concrete threats for organizations that manage personal information. Based on the Breach Level Index ("BLI"), 9,040,592,509 data records have been lost or stolen since 2013. Since the beginning of this year, the number of reported breach incidents amounted to 918 and concerned almost 2 billion data records. Data stolen or lost included names, emails, bank details and phone numbers and involved a large range of sectors, such as health care, retail, financial services and technology organizations.
Data Breach Reporting, a Growing Trend
Recently, Canada proposed cross-sectoral notification requirements in a draft regulation. The new rules, if adopted, will require companies based in Canada that experience a data breach to provide information to the Office of the Privacy Commission of Canada and to record data breaches (very similar to the GDPR). Organizations operating in the United States are already familiar with data breach notification requirements. Although there is no single federal law in the United States imposing a cross-sectoral data breach notification obligation, virtually every state has enacted such a regime.
Despite the fact that US organizations may be familiar with the 48 different state data breach notification requirements, the new GDPR rules constitute a significant expansion for these organizations. While US state laws generally cover specific categories of sensitive personal data (e.g., Social Security numbers and financial information such as bank account numbers and payment card numbers), the GDPR notification obligations will apply to incidents involving any personal data, meaning any data related to an identified person. As a consequence, data breaches that did not require a notification under US state laws might now potentially be caught by the EU rules. This will require US organizations to review and rethink their policies and procedures.
“Personal Data Breach,” the EU Response
Under the GDPR, a personal data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed." The new regime introduces a broad definition of personal data breaches, which includes not only loss of data but also access or alteration of data. However, the definition only captures actual breaches, not suspected or potential breaches.
Under the new regime, not all data breaches will have to be reported to the relevant supervisory authority. Controllers are required to inform the supervisory authority when the breach is likely to lead to "a risk for the rights and freedoms of individuals." To determine whether a data breach should be reported, a controller should assess whether an incident, if unaddressed, is likely to have a significant detrimental effect on individuals. This will have to be evaluated on a case-by-case basis. There will be a risk for individuals if processing could lead to physical, material or non-material damages (e.g., discrimination, identity theft or fraud, financial losses, damage to the reputation, loss of confidentiality or any other significant economic or social disadvantage). For instance, a data breach related to financial data (e.g., bank account numbers, payment card information) or other personal information (e.g., identity card number, passport number) could harm individuals because it may lead to identity theft.
Every Hour Counts
In accordance with GDPR Article 33, controllers will have to report the data breach without undue delay and "where feasible, not later than 72 hours after having become aware" of the incident. If a controller does not report the incident within 72 hours, they will have to provide an explanation for failing to meet this deadline. However, it will not be necessary to fully investigate the breach before reporting it to the supervisory authority. This means that as soon as the data controller become aware of—i.e., is informed of—a data breach, they have to report it and can provide additional information about the incident in phases. However, the controller will have to provide the supervisory authority with the reasons that justified the delay. The notification will include the nature of the personal data (e.g., the categories of data and the number of individuals concerned); the name and contact details of the data protection officer; a description of the possible consequences of the breach; and the measures taken to deal with it or to mitigate its adverse effects. Also, as one of the new requirements under the GDPR, after becoming aware of a data breach, processors are obligated to notify controllers.
Notifying Affected Individuals
When the breach is likely to lead to "high risk to the rights and freedoms of individuals," organizations will also have to notify the affected individuals. Given the tight timeline for the notification, drawing a line between what is a "risk" and what is a "high risk" will not be an easy task for organizations. On this point, guidance is expected from the Article 29 Working Party ("WP29"), the EU body of representatives of national data protection authorities, before the end of the year. Based on the GDPR, informing individuals will not be necessary if: (a) the data were protected by appropriate technical and organizational measures (e.g., encryption); (b) after the incident, the controller has taken measures that ensure that the high risk to the rights and freedoms of the individuals is no longer likely to materialize; or (c) it would involve a disproportionate effort (in this case, controllers can make a public communication).
Noncompliance with the above obligations could lead to an administrative fine of up to 10 million euros or 2 percent of the global turnover, whichever is higher.
In view of the possibility of high fines—and reputational risks—organizations should conduct awareness training for their staff and make sure that they have in place robust procedures for detecting, investigating and reporting a data breach.