Speaking at A&L Goodbody’s breakfast seminar, ‘GDPR – The Last Lap‘, Anna Morgan, Deputy Data Protection Commissioner, has warned that companies who ‘over-report’ and adopt an overly conservative approach to the GDPR’s breach notification requirements may risk enforcement action from the Data Protection Commission (DPC).
Currently, notification of a data breach to the Office of the Data Protection Commissioner is a recommended action, but is not compulsory. The GDPR (Article 33) introduces the requirement for a personal data breach to be notified to the DPC (or in the case of a cross-border breach, to the lead supervisory authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach. Notifications for potential data breaches are not required. Notifications must be made without delay and where feasible within 72 hours of becoming aware of it.
The GDPR adopts a risk-based approach, with the obligation to notify not kicking in where the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The onus is on the data controller to assess the risk associated with the breach, rather than notifying immediately, and relying on the DPC to conduct the risk analysis for it. This is in keeping with the concept of data controller accountability under GDPR.
It is also clear that a data controller flooding the DPC with an avalanche of notifications could not be carrying out an actual risk analysis. Ms Morgan has warned that controllers must undertake the risk analysis before making a notification to the DPC, with data controllers who persistently notify ‘non-notifiable’ data breaches being at risk of having enforcement action taken against them, to prevent ongoing notification of non-breach incidents. Ms Morgan has advised that the Article 29 Working Party Guidelines on Breach Notification should be consulted by companies, to familiarise themselves with data breach scenarios which may or may not require a notification, with the Guidelines including some non-exhaustive examples in the Annex.
A new online notification procedure will be live on the DPC’s website in the coming months. This form will be detailed in nature, requiring companies to self-declare the severity of the data breach that they are reporting, and to give details on the nature of the breach e.g. ‘was it accidental, was it a deliberate hack?’. This submission should be given due consideration by notifying entities, as the DPC has indicated that it will take enforcement action against those organisations which are under-declaring the severity of the breach. In preparation for 25 May 2018, companies are advised to ensure procedures and processes are in place, which can distinguish between ‘breach’ and ‘non-breach’, ‘high risk’ and ‘low risk’, all within 72 hours.