Toolkit for the EU GDPR – 8) Data Breaches and Enforcement

published on Mai 15, 2018

Background

This note is part of our series of “Toolkits” on specific key elements of the upcoming EU GDPR (General Data Protection Regulation). If you are an enterprise based in the EU or you hold or process any personal data of any EU citizen you will need to ensure that you are compliant with the GDPR on and following its implementation date of 25 May 2018.

Precisely how the GDPR will be implemented in the UK is currently unclear as the UK legislation is not yet finalised. We nonetheless recommend that a detailed review of data protection policies and procedures are completed ahead of its implementation (and any changes required are implemented ahead of that date too). The GDPR will be implemented in England and Wales through the Data Protection Bill.

The GDPR does not seek to drastically alter the existing UK regime (under Data Protection Act 1998) but it does add important additional proactive requirements for compliance and enhanced data subject rights and protections (as well as creating a more uniform EU-wide regime).

Disclaimer

This document is not a comprehensive explanation of the GDPR or the obligations under it and is not intended to provide advice. If you require any advice please contact us on the contact details provided further below.

What is the GDPR

The GDPR will replace the existing EU Data Protection Directive 1995 (95/46/EC). It seeks to update the data protection legislation in line with modern changes in technology and the way in which personal information is commonly used, processed and shared.

This note is an overview of the key considerations regarding data breaches and enforcement of the GDPR. This note considers data breaches and enforcement from the point of view of a data controller and will not consider employer/employee relationships or individual data subjects rights.

For more information as to a data controllers obligations under the GDPR and individual rights please see our other toolkits.

Personal Data Breach

Data controllers are required to notify their supervisory authority of a personal data breach where the breach is likely to result in a risk to the rights and freedoms of the individual(s).

In the UK the supervisory authority is the ICO.

In the event of a breach, the data controller should notify their supervisory authority as soon as they become aware of the breach and in any event within 72 hours.

If the breach in question represents a high risk to the individual’s rights than the data controller must in most cases also notify the individual. This is naturally a sensitive matter and it is important that it is dealt with appropriately.

It is advisable that a data controller has appropriate policies or procedures in place to be able to firstly prevent any personal data breaches and secondly to effectively deal with any personal data breaches quickly and effectively, if they do occur.

This note will focus on the duty to notify individuals of a personal data breach.

Notifying the Supervisory Authority of a Personal Data Breach

As mentioned above, a personal data breach will need to be notified to the supervisory authority as soon as possible and any event within 72 hours of being aware of the breach. This notice should:

Describe the nature of the personal data breach;
Include the name and contact details of the DPO (if there is one) or an alternative contact;
Provide details of the likely consequences of the breach; and
Outline measures taken by the data controller (or proposed measures to be taken) to address the breach and, if possible, mitigate any damage caused.

However, it is accepted that it may be difficult to provide a lot of information within the initial 72 hour window as investigations may still be on-going. If investigations are still on-going than the data controller should provide as much information as possible within the 72 hour window. Any outstanding information should be provided to the supervisory authority without undue delay.

If the data controller does not notify the supervisory authority within the 72 hour window (or provide all of the information) they must provide reasoned justification for this delay.

Supervisory Authority Enforcement

The GDPR provides supervisory authorities with the power to enforce the GDPR within their territory and to issue penalties for any breach.

The ICO’s rights include:

Investigative powers;
Power to impose administrative fines;
Ability to serve an “information notice” requiring data controller to provide certain information;
Issue “Penalty Notices”;
Issue “Assessment Notices”; and
Issue “Enforcement Notices”.

It is expected that the Data Protection Bill will require the ICO to publish guidance on how it will exercise Penalty notices, Enforcement Notices and Assessment Notices.

Penalties

It is expected that the Data Protection Bill will require the ICO to publish guidance on the penalties which may be imposed.

The GDPR specifies that the penalty for a breach of the basic principles of data processing or of a data subjects rights will be up to 20 million EURO or 4% of the organisations total annual worldwide turnover in the proceeding financial year, whichever is higher.

Expected Criminal Offences under the Data Protection Bill

It is expected, under the Data Protection Bill, for it to be a criminal offence for a person (without a permitted defence) to knowingly or recklessly:

Obtain or disclose personal data without the consent of the data controller;
To procure the disclosure of personal data to another person without the consent of the data controller;
To retain personal data without the consent of the data controller who controlled the personal data at the time which it was obtained; and
To sell any personal data (which was obtained in one or more of the above circumstances).