It really is possible to have too much of a good thing, at least as far as General Data Protection Regulation (GDPR) notifications are concerned. According to a report issued by Pinsent Masons using data from the United Kingdom’s Information Commissioner’s Office (ICO) and other EU data protection authorities, data breach notifications substantially increased since the effective date of the GDPR in May 2018. How much? According to the report, from approximately 3,300 notifications in the year preceding the implementation of the GDPR to over 11,000 reports through February 2019 (14,000 reports through May 2019 if one extrapolates the numbers) — an almost four-fold increase in notifications. Suffice it to say that many companies have opted to “play it safe” and report whenever a data incident occurs, but the “safe play” may not really be the right call in many cases.
One can understand why companies are supposedly erring on the side of caution here. As I have written previously about the GDPR, the GDPR takes the place of the old EU Data Privacy Directive (“EUDPD”) from 1995 — although the EUDPD was created to address the disparate handling of personal data between EU member states and foster the free flow of information within the EU, the growth of the internet made the EUDPD outdated. The GDPR represents a comprehensive update to data privacy in the EU, but it is complicated. From acquiring (and documenting) consent to the collection of “personal data” from data subjects in the EU and the “right to be forgotten” to the handling of personal data breaches, there is a lot to digest in implementing the GDPR and maintaining compliance. Non-compliance can reach up to 4 percent of global annual turnover or $20M euros (whichever is greater). Needless to say, this regulation definitely gets a company’s attention when it comes to the handling of “personal data” from EU data subjects.
The increase in notifications was expected, but the nature of the notifications is surprising. Using the United Kingdom as an example, almost 2/3 of data security incidents (61 percent) were reported to the ICO according to the Pinsent Masons report. Under Article 33 of the GDPR, notification of a personal data breach by the controller to the relevant supervisory authority must take place within 72 hours of becoming “aware” of such breach. Moreover, 53 percent of the notifications to the UK ICO took place within three days of incident detection, another 11 percent taking four days, leaving over a third of the remaining notifications (36 percent) taking place in five or more days. Other countries have shown similar increases according to the report (such as the Netherlands, Ireland, and Denmark). The point? The GDPR notification requirements have pushed notification to much earlier in the data incident response process, which likely pressures companies to err on the side of caution.
What is interesting is that although the GDPR’s personal data breach notification requirement is definitely giving supervisory authorities more notifications than anticipated, existing guidance does not seem to dictate such a result. The Article 29 Data Protection Working Party (29WP) issued updates to its “Guidelines on Personal data breach notification under Regulation 2016/679” (Guidelines) that specifically address “awareness” of a “personal data breach” and handling of notification in a timely manner. Although there is no bright-line test for “awareness” of a personal data breach, these Guidelines from the 29WP remain incredibly helpful, even giving examples of scenarios that would not trigger notification. As a result, it seems that the WP29 Guidelines (among other resources) show an attempt to provide some level of reasonableness to the GDPR notification requirements.
With this in mind, here are three considerations that your company (or client) should take into account when faced with the prospect of a potential personal data breach as a controller under the GDPR:
- Not every data incident rises to the level of a data breach. This point cannot be stressed enough as it is specifically referenced in the WP29 Guidance document — when faced with a data incident, it is essential to take steps (whether through technical safeguards or other measures) to limit further data compromise. Personal data can be compromised where the confidentiality, availability, and integrity of the data is affected (even temporarily). These actions are not only important to protect personal data, but may prevent further compromise. The point: Such actions may be the difference between a simple data incident and a full-blown personal data breach. This means that your company’s (or client’s) incident response plans need to be updated if they don’t take these considerations into account.
- Not every data breach requires a notification to the supervisory authority. This point may be a little hard to fathom, but a review of the GDPR Article 33 notification requirements and the WP29 Guidelines support this proposition. Specifically, no notification is required where the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” An example of this exception would be where the personal data is made up of publicly available information, or where the personal data has been rendered unintelligible to unauthorized parties and the data are either a copy or a backup otherwise exists. That said, it is essential that your company (or client) take immediate steps to determine whatdata has been compromised, placing an “emphasis…on prompt action to investigate an incident to determine whether personal data have indeed been breached, and if so, to take remedial action and notify if required.“
- Not every data breach requires notification to the individual data subjects. Article 34 of the GDPR specifically states that “[w]hen the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” The GDPR language is clear, but when it comes to putting it to practice, not so much. The GDPR broadly cites the rights and freedoms of natural persons, so care must be taken when making this determination. Although the threshold for notification to individuals is higher than that to supervisory authorities, where required it must also be made “without undue delay.” When in the midst of determining whether a personal data breach has occurred, time is definitely not on your side, so be careful!
Based upon personal practice experience and that of colleagues, these considerations are not presented in a vacuum and should be heeded. Take the time to review the incident response plans of your company (or client) so that they take GDPR notification requirements into context so a reasonable and timely GDPR notification determination can be made. Suffice it to say that letting a supervisory authority know what you don’t know is one thing, but letting them know that you don’t know is another (and more troubling) thing altogether.
Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.