Two of the most important principles of the EU General Data Protection Regulation (GDPR) are transparency and accountability.
You must keep people informed about the ways in which you're processing their personal data. And you are accountable to your Data Protection Authority (DPA - referred to in the text of the GDPR as a "supervisory authority") in all aspects of that processing.
Part of complying with these principles means being honest and acting quickly when things go wrong. If your company suffers a serious personal data breach, i.e. the loss or theft of people's personal data, you're obligated to report this to your DPA. In some cases, you must also inform the individuals whose data has been compromised.
Protection of personal data is considered a fundamental right in the EU. As a responsible organization, you'll have taken steps already to ensure that individuals' personal data is processed securely. But you still need to consider how you'll respond if you have a breach.
Let's take a look at the steps you need to take to notify the relevant people.
As part of your company's data protection policies, you should put together a procedure that will allow you to respond quickly and efficiently when your customers' data security has been compromised. As we've seen from events such as the Cambridge Analytica scandal and the Marriott Hotel data breach, such occurrences are far from uncommon.
Responding quickly is extremely important because it means that you can limit the damage done - both to the individuals affected and to your company. The good thing is that a Data Breach Notice Letter is a document that you can prepare partly in advance as part of your data breach policy.
Is a Data Breach Notice Letter Mandatory?
If you suffer a serious data breach, you're legally required to inform your DPA and in many cases, the individuals whose data may have been compromised. A Data Breach Notice Letter is a way for you to do this.
Article 34 of the GDPR requires data controllers to notify individuals (referred to as "data subjects" in the GDPR) in the event of an especially high-risk data breach.
Data processors (any company that processes personal data on behalf of a data controller) must inform their data controllers as soon as possible in the event of a breach.
The GDPR is well-known for its huge fines, which can reach up to 4 percent of a company's annual global turnover, or €20 million. Recital 148 of the GDPR sets out some of the factors that Data Protection Authorities will take into account when calculating a fine. Among these are:
How long the breach lasted
Whether the company took steps to limit the damage
Whether the company reported the incident to the Data Protection Authority
All of these factors are within your control. Having a clear procedure and Data Breach Notice Letter prepared allows you to respond quickly and efficiently, and minimize the negative impact on your company and your customers.
When to Send a Data Breach Notice Letter
There are two types of Data Breach Notice Letters:
Ones that notify your DPA that there has been a personal data breach.
Ones that notify the individuals that their personal data has been compromised.
As mentioned, there are two different thresholds for sending either of these.
Notifying a Data Protection Authority
The GDPR requires data controllers to notify their DPA if a data breach is likely "to result in a risk to the rights and freedoms" of individuals. This must be done "without undue delay and, where feasible, not later than 72 hours after becoming aware" of the breach.
Recital 85 suggests specific examples of risks that might warrant notification:
You'll always need to inform your DPA about a serious breach. You'll also need to inform the relevant individuals about a very serious breach.
The GDPR requires data controllers to notify the individuals affected if a data breach is "to result in a high risk to [their] rights and freedoms." The essential difference here is in the degree of risk - notifying individuals is only is required where there is a high risk.
Here's how the UK's DPA, the Information Commissioner's Office (ICO) distinguishes between a breach that would and would not require notification to individuals:
The GDPR states that providing a Data Breach Notification Letter to individuals might not be necessary if:
If the data has been encrypted
If you took quick action which negated the risk
If contacting each individual would involve a disproportionate effort. In this case you can make a public statement instead.
There's no 72-hour deadline here. Recital 86 requires data controllers to send individuals a Data Breach Notification Letter so they can "take the necessary precautions" - so you must act quickly.
Examples of Data Breaches
The Article 29 Working Party provides some examples of the sorts of data breaches that may or may not require notification.
"A brief power outage lasting several minutes at a controller's call centre meaning customers are unable to call the controller and access their records."
This would most likely not require reporting to either the DPA or the individuals concerned.
"A controller operates an online marketplace [...] The marketplace suffers a cyber-attack and usernames, passwords and purchase history are published online by the attacker."
The company should report the incident to both the DPA and the individuals concerned.
"A controller maintains an online service. As a result of a cyber attack on that service, personal data of individuals are exfiltrated."
The company should report the incident to the DPA. However, depending on the context, reporting to the individuals may be unnecessary.
What to Include in a Data Breach Notice Letter
The specific information you'll need to include in your Data Breach Notice Letter will differ depending on the circumstances of the breach. But the GDPR does provide some guidance on the types of information you'll need to include when notifying both your DPA and the individuals concerned.
Notifying a Data Protection Authority
Article 33 requires you to provide certain information to a DPA in the event of a breach. However, it's important to note that some DPAs require additional information. Some DPAs also prefer you to use a specific form on their website. You will need to take close advice from your Data Protection Officer (if you have one) and consider taking legal advice when notifying your DPA.
It's important that you find out who your DPA is. There's at least one in each EU country. If your company is based in the EU, your first contact for reporting a breach will be the DPA in which your company is based.
If you're based outside the EU, you should contact the DPA in your main establishment. Recital 36 sets out the criteria for determining which EU country should be your main establishment.
If you've determined that you also need to notify the individuals whose data has been compromised, Article 34 requires you to use "clear and plain language" and include certain information.
Your Data Breach Notification Letter to individuals should answer the following questions:
What has happened? Describe the nature of the personal data breach.
What are the likely consequences of the data breach on the individuals concerned? It may be necessary to explain how individuals will know that they've been affected.
What have you done in response to the data breach? Have you taken any steps to mitigate or negate the adverse consequences listed above?
Is there anything that the individuals can do to mitigate the risk?
Who can provide further information, if required? This should be your Data Protection Officer if you have one. Give a clear way for individuals to contact you with any questions or concerns about the breach.
This is the minimum level of detail required by the GDPR (including at Recital 86). You will want to include more information depending on the situation. This additional information can include:
The date on which you are giving the notice.
The date on which the breach occurred.
The date on which you discovered the breach.
The types of personal information that have been compromised.
How individuals can find out if they've been affected.
Whether you have informed the authorities, and whether this caused a delay in notification.
Contact details of the relevant Data Protection Authority.
You may have to consider your legal position when making these statements to the public. Transparency is extremely important, but it's always best to take advice on how you word such statements. You will want to avoid assuming liability unnecessarily.
Here's an excerpt from Quora's Data Breach Notice Letter:
Quora explains the incident in simple language, indicating the nature of the breach and the type of personal data affected. It then goes on to address specific concerns that users might have.
Equifax set up a dedicated website after a high profile data breach in 2017. It divides its Data Breach Notification Letter into the following questions:
Equifax provides a system whereby users can find out if they have been affected:
Equifax also suggests steps that users might take to mitigate the impact of the breach, as is required under Recital 86:
Hotel chain Starwood announced a major data breach in November of 2018. It set up a dedicated website to provide information to affected users. It answers the following questions in its breach notification:
Facebook alerted its users to a data breach via its mobile app to ensure that as many people as possible got the message.
Facebook also sought to reassure users by explaining the breach in technical terms. It even shared a video featuring its VP of Product Management explaining the breach:
By utilizing different methods of alerting and explaining, Facebook helps make sure that the most people will be reached and can understand what happened with the data breach.
Your Data Breach Policy
Once you've identified that a data breach has occurred, you must act quickly. It's important to have robust internal procedures so that everyone within your company knows what to do.
If your company has a Data Protection Officer (DPO), they should be the first person to know about any suspected or confirmed breach. The DPO should have an excellent working knowledge of data protection and will be able to make an assessment of whether to report the incident to the DPA.
If you don't have a DPO, you should specify an appropriate senior staff member in your company to whom people can report a breach.
Your Data Breach Policy might specify what information needs to be passed on in the event of a breach, but it's important not to make these requirements too onerous - time is of the essence.
Containing the Breach
If the breach is still ongoing, you'll need to take whatever measures you can to stop it. This might mean notifying the police or drawing upon relevant technical expertise from within your company.
For example, you may need to:
Take certain systems offline
Remotely disable a computer terminal
Reset account passwords
Change access rights
If you can do so quickly, you should make an assessment of the risks before notifying. This will allow you to present your DPA or the individuals affected with the basic information required.
A risk assessment will require you to answer some of the following questions:
Who is likely to be affected by the breach?
What type of data has been compromised?
What caused the breach?
Should you notify other organizations, e.g. data processors, who may also be at risk?
Should you call on other expertise, either within or outside your company?
Has the breach been contained?
Assessing the Severity of the Breach
Not every data breach will need to be reported, so you need a system for assessing the severity of a breach.