13 February 2020
Two of the most important principles of the EU General Data Protection Regulation (GDPR) are transparency and accountability.
You must keep people informed about the ways in which you're processing their personal data. And you are accountable to your Data Protection Authority (DPA - referred to in the text of the GDPR as a "supervisory authority") in all aspects of that processing.
Part of complying with these principles means being honest and acting quickly when things go wrong. If your company suffers a serious personal data breach, i.e. the loss or theft of people's personal data, you're obligated to report this to your DPA. In some cases, you must also inform the individuals whose data has been compromised.
Protection of personal data is considered a fundamental right in the EU. As a responsible organization, you'll have taken steps already to ensure that individuals' personal data is processed securely. But you still need to consider how you'll respond if you have a breach.
Let's take a look at the steps you need to take to notify the relevant people.
As part of your company's data protection policies, you should put together a procedure that will allow you to respond quickly and efficiently when your customers' data security has been compromised. As we've seen from events such as the Cambridge Analytica scandal and the Marriott Hotel data breach, such occurrences are far from uncommon.
Responding quickly is extremely important because it means that you can limit the damage done - both to the individuals affected and to your company. The good thing is that a Data Breach Notice Letter is a document that you can prepare partly in advance as part of your data breach policy.
If you suffer a serious data breach, you're legally required to inform your DPA and in many cases, the individuals whose data may have been compromised. A Data Breach Notice Letter is a way for you to do this.
Article 34 of the GDPR requires data controllers to notify individuals (referred to as "data subjects" in the GDPR) in the event of an especially high-risk data breach.
Data processors (any company that processes personal data on behalf of a data controller) must inform their data controllers as soon as possible in the event of a breach.
The GDPR is well-known for its huge fines, which can reach up to 4 percent of a company's annual global turnover, or €20 million. Recital 148 of the GDPR sets out some of the factors that Data Protection Authorities will take into account when calculating a fine. Among these are:
All of these factors are within your control. Having a clear procedure and Data Breach Notice Letter prepared allows you to respond quickly and efficiently, and minimize the negative impact on your company and your customers.
There are two types of Data Breach Notice Letters:
As mentioned, there are two different thresholds for sending either of these.
The GDPR requires data controllers to notify their DPA if a data breach is likely "to result in a risk to the rights and freedoms" of individuals. This must be done "without undue delay and, where feasible, not later than 72 hours after becoming aware" of the breach.
Recital 85 suggests specific examples of risks that might warrant notification:
You'll always need to inform your DPA about a serious breach. You'll also need to inform the relevant individuals about a very serious breach.
The GDPR requires data controllers to notify the individuals affected if a data breach is "to result in a high risk to [their] rights and freedoms." The essential difference here is in the degree of risk - notifying individuals is only is required where there is a high risk.
Here's how the UK's DPA, the Information Commissioner's Office (ICO) distinguishes between a breach that would and would not require notification to individuals:
The GDPR states that providing a Data Breach Notification Letter to individuals might not be necessary if:
There's no 72-hour deadline here. Recital 86 requires data controllers to send individuals a Data Breach Notification Letter so they can "take the necessary precautions" - so you must act quickly.
The Article 29 Working Party provides some examples of the sorts of data breaches that may or may not require notification.
"A brief power outage lasting several minutes at a controller's call centre meaning customers are unable to call the controller and access their records."
This would most likely not require reporting to either the DPA or the individuals concerned.
"A controller operates an online marketplace [...] The marketplace suffers a cyber-attack and usernames, passwords and purchase history are published online by the attacker."
The company should report the incident to both the DPA and the individuals concerned.
"A controller maintains an online service. As a result of a cyber attack on that service, personal data of individuals are exfiltrated."
The company should report the incident to the DPA. However, depending on the context, reporting to the individuals may be unnecessary.
The specific information you'll need to include in your Data Breach Notice Letter will differ depending on the circumstances of the breach. But the GDPR does provide some guidance on the types of information you'll need to include when notifying both your DPA and the individuals concerned.
Article 33 requires you to provide certain information to a DPA in the event of a breach. However, it's important to note that some DPAs require additional information. Some DPAs also prefer you to use a specific form on their website. You will need to take close advice from your Data Protection Officer (if you have one) and consider taking legal advice when notifying your DPA.
It's important that you find out who your DPA is. There's at least one in each EU country. If your company is based in the EU, your first contact for reporting a breach will be the DPA in which your company is based.
If you're based outside the EU, you should contact the DPA in your main establishment. Recital 36 sets out the criteria for determining which EU country should be your main establishment.
If you've determined that you also need to notify the individuals whose data has been compromised, Article 34 requires you to use "clear and plain language" and include certain information.
Your Data Breach Notification Letter to individuals should answer the following questions:
This is the minimum level of detail required by the GDPR (including at Recital 86). You will want to include more information depending on the situation. This additional information can include:
You may have to consider your legal position when making these statements to the public. Transparency is extremely important, but it's always best to take advice on how you word such statements. You will want to avoid assuming liability unnecessarily.
Here's an excerpt from Quora's Data Breach Notice Letter:
Quora explains the incident in simple language, indicating the nature of the breach and the type of personal data affected. It then goes on to address specific concerns that users might have.
Equifax set up a dedicated website after a high profile data breach in 2017. It divides its Data Breach Notification Letter into the following questions:
Equifax provides a system whereby users can find out if they have been affected:
Equifax also suggests steps that users might take to mitigate the impact of the breach, as is required under Recital 86:
Hotel chain Starwood announced a major data breach in November of 2018. It set up a dedicated website to provide information to affected users. It answers the following questions in its breach notification:
Facebook alerted its users to a data breach via its mobile app to ensure that as many people as possible got the message.
Facebook also sought to reassure users by explaining the breach in technical terms. It even shared a video featuring its VP of Product Management explaining the breach:
By utilizing different methods of alerting and explaining, Facebook helps make sure that the most people will be reached and can understand what happened with the data breach.
Once you've identified that a data breach has occurred, you must act quickly. It's important to have robust internal procedures so that everyone within your company knows what to do.
If your company has a Data Protection Officer (DPO), they should be the first person to know about any suspected or confirmed breach. The DPO should have an excellent working knowledge of data protection and will be able to make an assessment of whether to report the incident to the DPA.
If you don't have a DPO, you should specify an appropriate senior staff member in your company to whom people can report a breach.
Your Data Breach Policy might specify what information needs to be passed on in the event of a breach, but it's important not to make these requirements too onerous - time is of the essence.
If the breach is still ongoing, you'll need to take whatever measures you can to stop it. This might mean notifying the police or drawing upon relevant technical expertise from within your company.
For example, you may need to:
If you can do so quickly, you should make an assessment of the risks before notifying. This will allow you to present your DPA or the individuals affected with the basic information required.
A risk assessment will require you to answer some of the following questions:
Not every data breach will need to be reported, so you need a system for assessing the severity of a breach.
The EU Agency for Network and Information Security suggests using the following criteria to assess the severity of the breach:
If the data is sensitive, this would result in a high Data Processing Context risk factor, making it more likely that the incident will need to be reported.
A high Circumstances of Breach factor might also mean that you're required to notify your DPA - for example, if there is evidence of some malicious intent on the part of the attacker.
However, if the data is properly encrypted, the Ease of Identification factor might be low, making notification less likely.
You're now in a position to know whether it is necessary to notify your DPA, and possibly the individuals affected - via either individual notification, public notification, or both.
It will be very helpful for you to have a template notification letter prepared, to ensure that you can notify at least within the crucial 72-hour period.
Once the storm settles, you need to take a step back and evaluate what happened, and how you can stop it from happening again.
You're legally obligated to cooperate with your DPA throughout this process if requested.
A Data Breach Notification Letter is a method of complying with the legal obligation under the GDPR to let Data Protection Authorities (DPAs) or individuals know about a data breach.
This free, downloadable template helps you get started with:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.