There has been an ongoing discussion regarding the reporting of breaches to National Authorities since Regulation (EU) 2016/679 (GDPR) went live just over a year ago. Pinsent Mason’s law firm, in their recent review of reporting of personal data breaches (PDBs) in the UK, noted that there had been a spike in the reporting of incidents, which is also reflected in reports from Ireland Apart from better awareness of the obligations under GDPR (and the consequences of failing to report within the 72 hours) the legal firm suggested a possible cause for this may also be a lack of detailed regulatory guidance. Such guidance is needed, they suggest, to help with the assessment of whether the reporting threshold has been met in any given situation.
In practice, for DPOs, it has often been very difficult to make a finding as to the necessity to report (or not report) a breach. This is especially so when, at an early stage of an investigation, there may be incomplete information available relating to a particular incident to facilitate making a full assessment. As a result, many organisations have taken a risk-averse position choosing to notify the National Authority on a precautionary basis to avoid falling foul of the new requirements or receiving a significant GDPR fine.
While this can be seen as a ‘better safe than sorry’ approach, this may not be the only motivation in reaching out to a National Authority in such circumstances.
The challenge with the reporting obligation.
The real issue arises around Art 33(1) of the GDPR which requires reporting:
“unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
How this ‘unlikeliness’ is to be quantified along with the required level of confidence in the measure used, is a real issue for those involved in the time-constrained assessment. As we are seeing with other interpretations of adequate compliance with the principles of the GDPR, different nuances and preferences are emerging in different jurisdictions despite the best efforts of the European Data Protection Board.
Given that this assessment of ‘unlikeliness’ is based on what a reasonable person may expect to happen to a Data Subject in light of any given breach, this will likely involve considering, and subjectively assessing, a wide range of potential consequences. Some of these consequences may have already occurred while those that may yet occur in the future will require an element of guesstimation on behalf of organisations and their DPOs.
Recital 85 suggests that the possible consequences to be considered should include the potential for:
- physical damage
- material damage
- non-material damage such as:
- loss of control by the Data Subject over their personal data,
- limitation of their rights,
- identity theft or fraud,
- financial loss,
- unauthorised reversal of pseudonymisation
- damage to reputation,
- loss of confidentiality of personal data protected by professional secrecy,
- any other significant economic or social disadvantage to the natural person concerned.
The Article 29 Working Party’s (now the European Data Protection Board) ‘Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01)’ echoes this and suggests considering:
- The type of breach
- The nature, sensitivity, and volume of personal data including what that data may reveal about the affected individual
- The ease of identification of individuals
- The severity of consequences for individuals.
- Any special characteristics of the individual (are they vulnerable adults or children)
- Any special characteristics of the nature and role of the data controller (e.g. are they a medical organisation)
- The number of affected individuals
The assessment of potential risks and impacts to a data subject will always depend on an organisation’s assessment of a multitude of factors and will likely reflect the organisation’s own internal risk appetite and that of the decision-makers. So what to do?
Reporting in Ireland
For Ireland, the original position of the National Authority was to warn of consequences for over-reporting in the immediate aftermath of GDPR going live. However, the Data Protection Commission (DPC), like other National Authorities, has had to adjust to the new regulatory regime during the past 12 months. Since then, as the DPC has expanded and as a greater understanding of the concerns of organisations and their DPOs has developed, the ‘mood music’ has softened. The latest advice from the DPC was issued in August of this year. This note has provided some further clarity as to how the DPC is approaching breaches. Tellingly it states:
“… that the default position for controllers is that all data breaches should be notified to the DPC, except for those where the controller has assessed the breach as unlikely to present any risk to data subjects, and the controller can show why they reached this conclusion.” (Original emphasis)
Unless personal data is fully encrypted or anonymised (and therefore risk-free) the guidance appears to require reporting of breaches erring on the side of caution. This broader requirement for reporting may have the benefit of providing the DPC with greater engagement with registered DPOs, with whom they are to extend a support network(p5), while at the same time providing visibility of the prevalent challenges faced by organisations and sectors as they too come to terms with the GDPR.
Patterns of likely non-reportable individual breaches
However, in some areas, the guidance is still not clear. For example, what about where there is a pattern of minor breaches which, when assessed independently, are unlikely to present any risk to Data Subjects by virtue of the particular circumstances? Despite the lack of severity of the issues, their frequency or pattern may indicate to a DPO the existence of a potential systemic problem. How should these decisions be guided?
Best practices is still slowly emerging, and based on the experience of other organisations and their interaction with National Authorities, DPOs might be advised to take a wider view in relation to the purpose of their interactions with the National Authority:
- The DPOs function is to be the first point of contact between the National Authority and the organisation they represent.
- The contact with the National Authority is not just for breach handling but also to avail of guidance and support (as per the declared mission statement).
- A DPO can best support their organisation by developing a relationship with the National Authority which begins with formal registration, but which is built on by means of:
- Submission of formal queries
- Replying to public consultations
- Attending networking and information events supported by the National Authority?
Thus, in such cases, the reporting of patterns may benefit the dialogue between the DPO and the National Authority allowing the DPO set out how the perceived risk is being mitigated and provide an implementation timeline for such actions. At least this way, should another similar breach with more serious consequences occur and require formal reporting, there has been transparency and a demonstration of accountability and an intent to be compliant with the requirements of the legislation beforehand.
What does this mean for your organisation:
The likelihood of having to report a breach is quite high as being able to stand over an assessment of ‘unlikeliness’ in terms of potential future impacts on data subjects may be quite onerous in many circumstances. More importantly, what may have been seen as negative precautionary reporting has other benefits when seen in the wider context of relationship building with the National Authority as well as in terms of demonstrating transparency and accountability. There is more to be gained than feared from engaging when genuine efforts are being made to comply with the legislation.
If your organisation needs assistance with incident reporting processes or support for your DPO, please feel free to make contact with one of Trilateral’s advisors.