Personal Data Breach Notification needs incident detection capability confirms EU regulators
15 February 2018
The Article 29 Working Party has recently published updated guidance on the Personal Data Breach notification rules in Articles 33 and 34 of the General Data Protection Regulation (GDPR). The original version was published on 3rd October 2017.
The most illuminating part of the update concerns the requirement for organisations to put in place incident detection technologies, which can ‘immediately’ detect whether a security incident has occurred. This obligation is set out in Recital 87. As well as helping with the actual management of the incident, the requirement is significant because it can crystallise the beginning of the time period for giving notice to the regulators. The time period is "without undue delay", commencing from the moment of becoming 'aware' of an incident, which is subject to a 72 hour long stop.
The guidance recognises that the controller may undertake a 'short period' of investigation in order to establish whether or not a breach has in fact occurred and, during this period, the controller may not be regarded as 'aware'. However, it is clear that this investigation should begin as soon as possible and, if good quality incident detection technologies are in place, it should commence from the exact moment that the detection technologies deliver an alert. The ramifications are very significant in both an operational and a legal sense.
Of course, notification to the regulators and then to the individuals affected is contingent upon the security incident causing a risk to the rights and freedoms of individuals. The guidance starts to close an important loophole, because controllers might argue that they are not fixed with an understanding of these risks in the immediate aftermath of the incident, which would give them an argument to push out the notification obligation past 72 hours. The loophole is addressed by a requirement for an impact analysis to begin at the moment of a suspicion arising that personal data might be impacted. In the usual course of events, that suspicion should be close to, or almost synchronous with, the point of incident detection. Moreover, the post-event impact analysis should be bolstered by the pre-event security impact analysis that was done for the purposes of Articles 24 and 35. In other words, the updated guidance reduces the wiggle room for obfuscation that some organisations might have relied upon to buy themselves more time.
Connected to this, the guidance says that data processors do not have to carry out impact assessments before notifying controllers of incidents. This prevents prevarication, thereby speeding up the entire process. Moreover, processors cannot wait to notify controllers until they have all of the facts: they have to notify immediately on incident detection, even if that means notifying in stages. To nail things down even further, the guidance requires controllers and processors to identify their responsibilities for incident detection and response in the Article 28 contracts that govern their relationships.
These updates will be challenging for controllers and processors, particularly those who have overlooked the need for robust incident detection technologies, protocols and playbooks addressing the responsibilities of the entities involved in the extended supply chain. Reading between the lines, the guidance gives the impression that the regulatory tolerances around information security might be lower than even the most pessimistic commentators and thought-leaders have guessed at. If so, then the GDPR might quickly deliver some harsh outcomes after the go-live date.
Some other points to note:
- The interest of law enforcement agencies is given greater precedence than before. If they advise against notification for operational reasons, that can act to "stop the clock";
- Incidents occurring outside the EEA will have to be notified, if the underlying processing falls within the scope of the GDPR. Many organisations will have overlooked this;
- Non-availability issues might have to be notified and so organisations are warned to keep proper logs, as part of the accountability principle;
- Joint controllers need to agree their respective responsibilities for incident detection and response;
- Communications to individuals should be in their native language, if there hasn't been any prior business dealings where another language is used;
- The role of the Data Protection Officer is amplified. As well as helping in playbook creation, they should be involved in the incident response process itself.
If you want to know how PwC can help you with Personal Data Breach notification, download our overview here.
By Stewart Room