We will be doing a number of posts on the European Union’s General Data Protection Regulation (“GDPR”) as it will be taking effect in May of 2018. Unlike its predecessor the GDPR is not a directive, but a regulation, meaning that all EU member countries have to comply with its explicit terms (unlike a directive which they are to incorporate into their domestic law). The GDPR applies to a lot of data, but only that which is “personal data” defined as “any information relating to an identified or indentifiable natural person (‘data subject’)”.
One of the important new aspects of the GDPR versus any European predecessor is that it defines the term “personal data breach”, and sets forth notification requirements to both the jurisdiction and the individuals that were/could be affected by the breach.
A “personal data breach” is defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
If there is a personal data breach, the data controllers must inform their jurisdictions (unclear exactly who, but like the nation in which the controller is headquartered or where the breach occurred if not both). The controller must provide this notice “without undue delay and, where feasible, not later than 72 hours after having become aware of it” and if it fails to do so, it must provide reasoned justification for such failure. It should be noted that there is an exception for the notice to the jurisdiction(s), which exception states that no notice is required if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” but this seemingly large exception has little guidance at the moment and we can be sure the EU does not want the exception to swallow the rule.
The notification to the jurisdiction must at least address: (1) describe the nature, size and extent of the breach (2) provide the data protection officer’s name (3) describe the likely consequences, and (4) describe how it proposes to address the breach.
If the controller determines that the breach is likely a high risk to the persons affected, it has to inform them without undue delay. However, there’s an exception to the requirement to inform the individuals, where (1) controller has measures in place to render the information unintelligible to anyone not authorized to access it (2) controller ensures that the risk to the individuals is unlikely to occur (3) where certain types of notification would be an undue burden, it can use alternatives. However, there are times where the jurisdiction may require the controller to notify the individuals affected, even if the controller did not plan on doing so (effectively rendering the above exception moot).
Like a lot of the GDPR, this section still has some need to be expanded upon and guidance and interpretations will provide insight into how companies should react to any breach. It’s important to note how this area of the GDPR contrasts with the United States data breach laws which operate on the state level, and usually are triggered only upon exposure of information that could lead to fraud or identity theft.