The GDPR Breach Notification Law: T-Minus 72 Hours
13 March 2017
Aside from the scale of the maximum penalties for breaching the regulation, one of the more eye-catching provisions of the EU General Data Protection Regulation (GDPR) is the mandatory 72-hour breach reporting rule.
Keen students of the GDPR will know that we are of course talking about Article 33, which states that “in the case of a personal data breach, data controllers shall without undue delay” notify the appropriate regulator of the breach. Article 33 goes on to state that, where feasible, this notification should take place no later than 72 hours after the breached party has become aware of the incident.
Anyone with any legal training will see that this wording poses a few questions. Seemingly, “undue delay” is likely to be any time after the 72-hour window has passed, though this may be different for data controllers versus data processors. But, what would constitute an “undue delay”? What if a party has been breached and had personal data stolen but remains unaware of this fact through lack of care? Under what circumstances would it be deemed not “feasible” to report a breach? On these points the regulation is deliberately vague to allow for a broad range of possible eventualities.
What does the mandatory notification timeline mean for organizations?
Anecdotally, it’s surprising how many organizations don’t have defined processes in place to deal with a suspected breach. Particularly in the heightened atmosphere of a data breach, it’s very easy to come unstuck on relatively mundane and simple points of process: Who should be notified internally? How do we contact the regulator? What do we tell our customers? Is anyone looking into the breach itself and making sure any leak isn’t ongoing?
Although the GDPR won’t help you answer those questions, it is clear on your responsibilities as a business in the event of a breach. Organizations must notify the national data protection regulator and must also notify everyone who has been affected by the breach, where the “data breach is likely to result in a high risk to the(ir) rights and freedoms.”
However, finding out what the breach is, who has been affected, how wide it is and how it happened all within 72 hours is not easy – especially when companies want to be remediating damage caused by the breach in this time. This is where having thorough processes shows its value, because all of this information will need to be relayed to the regulator.
There are some exceptions contained in Article 34 that summarize scenarios in which the data subject does not have to be notified in the event of a breach. One such situation is where the data controller has “implemented appropriate technical and organizational protection measures in respect of the personal data affected by the breach,” and an obvious example would be a breach involving data that have been encrypted by the controller. Article 34 does not provide detail on whether different standards of encryption would be treated differently, but it is clear from the regulation that encrypting data in-transit and at-rest remains a sensible precaution for those organizations looking to comply with the GDPR.
It is also unclear for now what approach different regulators in Europe will take towards enforcing penalties. Some regulators lean more towards cooperation and training rather than strict enforcement of penalties, but others are harsher. Some commentators suggest regulators will seek to levy a huge fine to make an example of an organization and encourage others to fall into line. Ultimately, making the cost of failing to comply considerably more expensive than the cost of ensuring compliance is usually considered to be an effective way to boost the numbers of organizations taking the proper steps to safeguard citizens’ data.
Although there is still time before the GDPR comes into force on 25 May 2018, organizations need to act now to stand any chance of achieving compliance. The 72-hour mandatory notification window is likely to pose very significant challenges to many companies and as such requires careful planning in advance, to give the best possible chance of compliance with this provision.
Learn more about Encryption and GDPR
Deema Freij is SVP, Deputy General Counsel and Global Privacy Officer, based in Intralinks’ London office. Deema oversees global data governance within the company and is responsible for further strengthening the company’s worldwide focus on data privacy and the regulatory demands placed on its customers. Deema brings almost two decades of experience in the legal profession. Prior to joining Intralinks in 2011 as Legal Counsel, EMEA & APAC, she spent seven years as a legal consultant.