Article 33 of the General Data Protection Regulation (GDPR) imposes obligations on data controllers to report personal data breaches to the relevant Supervisory Authority (SA) within 72 hours of the data controller becoming aware of the breach. These obligations arise unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Several Member States’ SA’s have highlighted in their annual reports that some data breaches notified to the SA’s were subsequently assessed as non-data breaches or they did not meet the criteria of notifiable data breaches within the meaning of Article 33 (see Ireland’s 2021 DPC Report and France’s 2021 CNIL Report). This underscores the importance of organisations having robust processes in place to accurately categorise and assess possible personal data breaches.
This article aims to clarify what a personal data breach is and how data controllers can determine whether a personal data breach meets the criteria for notification to the concerned SA.
What is a personal data breach?
Article 4(12) of the GDPR defines a personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. As highlighted in the Article 29 Working Party (WP29) guidelines, whilst all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches. In WP29 Opinion 03/2014 on breach notification, personal data breaches are categorised as follows:
- “Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data.
- “Integrity breach” – where there is an unauthorised or accidental alteration of personal data.
- “Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
The outcome of such a breach is that the data controller will be unable to ensure compliance with Article 5 GDPR principles relating to the processing of personal data, in particular as it relates to ensuring the integrity and confidentiality of personal data.
In summary, a personal data breach occurs whenever personal data is accidentally lost, destroyed, corrupted, disclosed unlawfully (e.g., made available to an unauthorised individual) or if personal data is made unavailable.
It is important to consider that whilst a data breach may have occurred, not every personal data breach may meet the criteria for notification to the SA. As outlined earlier, as per Article 33, GDPR, data controllers will need to notify the SA, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Thus, in order to be able to determine whether a breach is notifiable to the SA, data controllers need to assess the likelihood and severity of a risk to the rights and freedoms of affected data subjects resulting from the personal data breach.
Is the personal data breach likely to result in a risk to the rights and freedoms of natural persons?
A data breach may have a range of significant adverse effects on individuals, which can lead to physical, material, or non-material damage. Recital 85 of the GDPR considers several harms that individuals may be exposed to as a result of a data breach. Harms considered include loss of control over their personal data, limitation of individuals rights, discrimination, identity theft or fraud, financial loss, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. Such harms may also include significant economic or social disadvantage to the individuals concerned. Accordingly, the GDPR requires the data controller to:
- assess the risks arising from a personal data breach;
- be able to determine whether the breach is likely or unlikely to result in a risk of such adverse effects materialising; and
- determine whether notification obligations arise.
The European Data Protection Board (EDPB) recently proposed updated guidance relating to data breach notification under the GDPR. The EDPB’s guidance includes helpful examples which provide clarity as to when notification may be required. An example provided where notification would not be required is the loss of a securely encrypted mobile device, if the encryption key remains within the secure possession of the controller, and the data lost is not the sole copy under the control of the data controller. In this example, the breach is unlikely to result in a risk to the rights and freedoms of the data subjects in question.
A noteworthy update to the EDPB’s guidance concerns providing clarity for data controllers who are not established in a Member State. In such cases, where a personal data breach is identified and the notification obligation is engaged, the EDPB sets out that data controllers who are established in a Member State cannot avail of the one-stop-shop. As such, they must notify every single SA in each Member State where affected data subjects reside.
How should data controllers assess a personal data breach?
Recitals 75 and 76 of the GDPR suggest that generally, when assessing risk, consideration should be given both to the likelihood and severity of the risk to the rights and freedoms of data subjects. They further state that risk should be evaluated based on an objective assessment. The EDPB recommends that the assessment considers the following criteria:
- The type of breach;
- The nature, sensitivity, and volume of personal data;
- Ease of identification of individuals;
- Severity of consequences for individuals;
- Special characteristics of the individual;
- Special characteristics of the data controller; and
- The number of affected individuals.
Therefore, when assessing the risk that is likely to result from a breach, the controller should consider a combination of the severity of the potential impact on the rights and freedoms of individuals and the likelihood of these occurring. Evidently, the risk is higher where the consequences of a breach are more severe, and similarly the risk is also heightened where the likelihood of these occurring is greater. The EDPB recommends that, if in doubt, the controller should err on the side of caution and notify the relevant SA.
In order to ensure compliance with data breach notification obligations, we recommend that organisations have appropriate technical and organisational measures in place to establish, without undue delay, whether a personal data breach has taken place. Once identified, an assessment can then be undertaken to determine whether the notification obligation is engaged. Such measures include the implementation of a robust data breach policy, procedure and risk assessment methodology. Finally, the delivery of regular and effective staff training and awareness as it relates to data breach identification and reporting, is an essential component of an effective incident management framework.
Trilateral’s Data Governance and Cyber Risk Team have data protection specialists with extensive expertise and experience in risk assessing data breaches and assisting organisations in meeting their notification obligations. Please feel free to contact our advisors who would be more than happy to help.