The Data Protection Commission Ireland, in its Annual Report 2021, announced a changed approach towards handling data breach notifications. The report explains that the focus of DPC will shift towards enforcement rather than the current approach that prioritises communication and conciliation with data controllers to assist mitigating the impacts of data breaches on the controllers and data subjects.
A quick read of all the three annual reports i.e. 2019, 2020and 2021 demonstrates that some notifications of data breaches were assessed as non-data breaches by the DPC. In its 2021 Annual report, the DPC has also found that several data breaches were incorrectly reported. Considering the above, the DPC has introduced a revised form seeking precise information. Therefore, the revised form and existing guidance documents aims to curb the practice of over reporting and incorrect reporting of data breaches. In conjunction, the DPC has announced that it will stop routinely providing controller specific advice/ recommendations.
While the use of these terms by the DPC seems intuitive, the terms themselves have not been defined by the DPC or used in data protection legislations. Therefore, with the shift in the approach taken by the DPC and the division between the two categories of data breaches, the situation requires a decluttering of definitions and interpretations. This article will address and clarify further to assist in adequately reporting data breaches to the DPC.
What is a personal data breach?
A personal data breach has been defined in Article 4 (12) of the GDPR. However, it is still a point of contention and often, the first issue is to determine what is considered as a personal data breach by the DPC. We can see this aspect in some of its decisions. For instance, in the recent decision of the DPC in Bank of Ireland Group Plc (BOI) (case on 14 March 2022), the DPC pointed out that 19 of the 22 notified data breaches were personal data breaches as defined by Article 4 (12) of the GDPR. The DPC therefore noted that merely the occurrence of a data breach does not automatically imply the violation of the GDPR.
What is a non- Personal Data Breach?
The DPC has tried to clarify through its guidance on notifying a data breach that not all data breaches are personal data breaches (i.e., data breaches may only be a security breach not involving personal data). For instance, if personal data that was involved in a data breach was encrypted, the obligation to report such a data breach to the DPC does not arise. Similarly, if a data breach involves exfiltration of hashed passwords from a website, an obligation to notify the DPC about this breach does not arise. In the above examples, the security incident caused no negative impact on the confidentiality, integrity or availability of personal data. Or, in other words, the principles stated in Article 5 of the GDPR were not violated.
Elements of a data breach notification:
A personal data breach notification for the DPC must contain the following information:
- A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- The name and contact details of the data protection officer (DPO) or other contact point where more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
It is highly advisable that organisations understand the obligation to report data breaches not only as a process to comply with data protection regulations; but also the ethics and ideals behind the process. Therefore, rather than treating the 72-hour timeline as a simple deadline to comply with, the organisations must consider the risks to the rights and freedoms of the data subjects involved and accordingly take action. The recent guidelines issued by the EDPB clearly establish a practical case study-based approach that organisations can implement to assist in reporting and dealing with data breaches.
Therefore, with the changed approach of the DPC, organisations should not be surprised that they have not received a response to a data breach notification. Rather, they must carry out their own investigations and risk assessments culminating in a report documenting the technical and administrative measures proposed to mitigate and prevent the occurrence of a similar data breach in the future. This report may also contain a review timeline to assess whether the documented technical and administrative measures have been implemented. The abovementioned approach is based on two principles, first, to be able to notify a data breach without undue delay and second, to reinforce the principle of accountability. Such an approach will not only respect the ethics of data breach notifications but also prepare the organisations if the DPC responds and initiates an enforcement action.
We recommend the following in order to help organisations be prepared for the changed approach of the DPC:
- Assess if an incident occurred involves personal data (72 hours timeline starts)
- If personal data is involved, assess the level of risk
- If the risks to the rights and freedoms of the data subjects is not high and if the effects of the data breach can be mitigated, record the occurrence in a breach log and file an internal report
- If the risk is high and if the incident affects the rights and freedoms of data subjects notify the DPC without undue delay or within the first 72 hours by filing in this form
- Consider appropriate means of informing data subjects affected
- Do not wait for a confirmation or any further communication from the DPC
- Carry out necessary investigations and detailed risk assessments
- Document the investigations carried out and the proposed technical and administrative measures to mitigate the risks and prevent similar personal data breaches in the future in an internal report
- In the internal report factor in a timeline to review the implementation of the proposed technical and administrative measures
- Maintain a breach log and document a policy and procedure document respecting the without undue delay principle along with the accountability principle
- Provide regular training and awareness workshops considering the practical case study based approach followed by the EDPB in its recent guidelines
Trilateral’s Data Governance and Cyber Risk Team have data protection specialists with extensive expertise and experience in implementing appropriate security measures in respect of personal data across both public and private sector organisations. Our support services will help your organisation protect patient records and maintain trust. Please feel free to contact our advisors, who would be more than happy to help.