Last month, the Article 29 Working Party (“WP29”)* published guidelines for the interpretation of the new data breach notification duty, which is part of the General Data Protection Regulation (“GDPR”). Although a Dutch notification duty pertaining to data breaches entered into force on 1 January 2016, the GDPR’s version thereof will be somewhat stricter. In this update, Ovidius addresses the most important parts of the ‘new’ notification duty.
What is a data breach?
A data breach means that a security breach causes either the loss of personal data or (the possibility that) personal data is processed illegitimately. Examples thereof are a crashed hard drive of which no backup has been made, an e-mail sent to the wrong person or a file that can no longer be opened due to a virus.
The notification duty under the Dutch Data Protection Act (“DDPA”)
Under the DDPA, an organisation must notify data breaches to the Dutch Data Protection Authority within 72 hours after such breach has been discovered. This duty is not absolute, but only applies to those data breaches that may or will lead to significant, severe consequences for the protection of personal data. Notification of the individual whose data is involved, is not always necessary. For a more detailed outline of the current notification duty, we refer to our update of 20 March 2016.
The notification duty under the GDPR
Under the GDPR, the notification duty will become more strict. The GDPR states that, as a principle, all data breaches must be notified, unless it is unlikely that the breach contains a high risk for the rights and freedoms of individuals. As a result, data breaches that were not notifiable under the DDPA may be so under the GDPR. The term for notifying the national data protection authority remains 72 hours under the GDRP and term commences once the controller ‘is aware of’ the data breach. According to the WP29, ‘being aware’ should be interpreted as the controller being reasonably sure that personal data are involved in a security breach. Depending on the nature of the incident, the controller is allowed to first (quickly)investigate the incident, in order to determine whether personal data have been compromised. The clock then starts to run once the investigation has been completed. The 72 hour term also applies if the controller uses a processor. Therefore, the GDPR states that the processor is required to notify the controller immediately of a data breach. The WP29 recommends that this notification duty of processor is laid down in a processor agreement, to ensure that the controller can comply with its notification duty. The controller remains ultimately responsible for a timely notification with the relevant data protection authorities. Another new feature of the GDPR with respect to the notification duty is a documentation requirement: the controller needs to register all data breachesthat occur within the organisation. This requirement applies regardless of whether the data breach has to be notified. As noted by the WP29, it is especially important that controllers document that and why certain data breaches did, in their view, not have to be notified. This allows the relevant data protection authorities to verify whether the controller has complied with its notification duty.
Controllers that do not comply with the current notification duty, can be fined by the Dutch Data Protection Authority. These penalties will become higher under the GDPR: the maximum fine will be two percent (2%) of the worldwide turnover per breach, with a maximum of twenty million euros. A further penalty of two percent (2%) may be imposed if the data breach is an indication of a wider failing in security measures. Whether such high penalties will indeed be imposed, remains to be seen. Even though the Dutch Data Protection Authority has the authority to fine organisations since 1 January 2016, no penalties have yet been imposed. The attorneys of Ovidius Law are happy to advise you or assist you with drafting processor agreements or a protocol pertaining to data notification breaches.
* The WP29 is a European body of representatives of all national data protection authorities of the Member States. The WP29 regularly publishes guidelines and opinions pertaining to data protection.