Your privacy is important to us.
It has been reported recently in a study of a wide range of large businesses throughout the EU that the relevant data protection supervisory authority had only been informed in relation to 23% of data breaches. Consequently, most data breaches that had taken place did not become public knowledge. This article will explain what obligations data controllers have under GDPR to report data breaches.
Obligation to Report
A data breach is the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This could include malicious theft or hacking, unforeseen circumstances such as fire or flood or, most commonly, human error.
One of the major changes to data protection law is that, under Article 33 of GDPR, the controller must report a data breach to the relevant supervisory authority (in the United Kingdom this is the Information Commissioner’s Office) not later than 72 hours after having become aware of it. The only exception is where the breach is unlikely to result in a risk to the rights and freedoms of natural persons. This means that minor data breaches (e.g. a document is misfiled but then later put in the right place with no unauthorised access) do not need to be reported. Where the notification is later than 72 hours after the incident, the data controller must explain the delay. When acting as a data processor, the obligation is to inform the controller without undue delay after becoming aware of the data breach. It is then the responsibility of the controller to report the breach to the supervisory authority.
The report must:
To the extent that it is not possible to provide the above information initially, the data controller may provide the information in phases.
The controller must also report data breaches to the individuals concerned where there is a high risk that the breach will affect their rights and freedoms. Where it would involve disproportionate effort to identify the individuals affected, this obligation can be satisfied by a public communication such as a newspaper or website announcement.
The recent findings suggest that many data controllers still have their heads in the sand when it comes to the risks of data breaches. Many no doubt have legitimate concerns that by reporting a matter to the supervisory authority there is a risk that the business will face liability. The eye watering increase to the potential fines that can be levied (the higher of €20 million or 4% of annual worldwide turnover) has led to some angst for businesses. However, it is clear that when assessing the potential sanctions, one of the first factors that the supervisory authority will look at is whether the data controller complied with its obligations to report the data breach. Data controllers should therefore take legal advice as soon as they are aware of a breach.
This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Employment team at Cleaver Fulton Rankin for further advice or information.
 Catch-22 – Digital Transformation And Its Impact On Cybersecurity – RSM (2019)