A new feature introduced with the new European Data Protection Regulation (GDPR) concerns how data breaches must be notified. Article 33 of Regulation 679/2016 requires that in the event of a breach, the data controller notifies the supervisory authority within 72 hours of becoming aware of the data breach. Specifically, the violation of which we speak must be such as to threaten or compromise the freedoms and rights of those concerned: this assessment of the extent of the violation is up to the owner of the treatment, it follows that the notification of the violation itself is not mandatory but it is, in fact, “at the discretion” of the owner. In addition, as provided for in art. 34, if it is recognized that the situation is characterized by a high risk, the obligation to report also exists with regard to the individuals concerned. Given the requirements of the regulation, data controllers are advised to document in any case the personal data breaches suffered (as well as the related circumstances and consequences and the measures taken), even if they decide not to notify the supervisory authority or not to communicate them to the data subjects.

Let’s first clarify when a data breach occurs. This is the situation where there is an unauthorized or unintentional disclosure or access or if there is an alteration or loss, inability to access or – accidental or unauthorized – destruction of personal data. It should be noted that, the responsibility of these situations are not only the responsibility of malicious third parties, but also of the owner of the treatment, specifically when it comes to accidental loss. The latter exists in case of data deletion due to a human or system error or when it is impossible to access the data itself (an example is the loss of the password to access a protected archive or even encryption caused by a ransomware infection).

In addition to the 72-hour deadline, paragraph 3 of Article 33 sets out in detail what must be reported for notification purposes.

“The notification referred to in paragraph (1) shall at least:

  1. describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects at issue and the categories and approximate number of personal data records at issue;
  2. disclose the name and contact information of the data protection officer or other contact point from which to obtain more information;
  3. describe the likely consequences of the personal data breach;
  4. describe the measures taken or proposed to be taken by the data controller to remedy the personal data breach and also, where appropriate, to mitigate its possible negative effects.”

In case of non-compliance, both in terms of timing and in the form required, penalties are triggered and we remind you that they can reach 20 million euros or equal to 4% of annual turnover. Is it therefore worth the risk? Or should you check the status of your company’s security measures from the outset?

Sara Avanzi