What obligations regarding personal data breach are provided for in the GDPR?
The GDPR provides for the below mentioned obligations related to data breach notifications:
- establishing procedures that permit establishing and assessment of the breaches in terms of risks for the rights and freedoms of natural persons;
- maintaining an internal register of breaches;
- notification of breaches to the supervisory authority;
- communication of a personal data breach to the data subject;
- taking measures to counter the results of data breaches and to prevent those in the future.
One of the most important, if not crucial, elements of the process related to data breach notification is the promptness of taking necessary measures in relation to the supervisory authority as well as the data subjects. Time in this instance is of decisive importance.
To ensure prompt measures the controllers should develop and implement procedures of conduct in case of data breach. Such a procedure will be of help in standardizing, streamlining and accelerating the actions in the event of detecting a data breach. This procedure should consist inter alia in:
- the objective of formulating the procedure;
- the scope of its application;
- directory of potential threats and breaches which may occur with regard to processing of data by a specific controller;
- the description of stages of breach management starting with its detection, and ending with its erasure;
- the description of conduct of the controller’s personnel in the event of a data breach.
A well-designed and implemented procedure in the event of data breach might allow the controller to conduct, in the event of detecting data breach, a prompt and correct assessment of the breach for its risk for the rights and freedoms of natural persons.
The procedure allows to classify the identified data breaches, meaning to assess the level of risk for the rights and freedoms of natural persons, i.e. low, medium or high. The controller’s obligations towards the supervisory authority and data subjects are varying, depending on the level of risk for the rights and freedoms of natural persons the controller faces. If, after having conducted an analysis, the controller concluded that the risk for the rights and freedoms of natural persons is low, he/she is not obliged to notify the breach to the President of the Personal Data Protection Office (UODO). The breach should only be documented in the internal register of breaches. In the event of detecting a medium level of risk for the rights and freedoms of natural persons, the controller is obliged to notify the data breach to the President of UODO as well as to document it in the internal register of breaches. The occurrence of a high level of risk for the rights and freedoms of natural persons, aside from documenting it in the internal register of breaches, demands the controller to take adequate measures towards the supervisory authority (notification of a personal data breach) and – in certain instances – towards data subjects. In the event of breaches that may result in a high risk for the rights and freedoms of data subjects, the GDPR introduces an additional obligation of communicating the breach to the data subject by the controller, unless the controller has implemented appropriate protection measures before the breach has occurred or has taken remedial action after the breach has occurred (Art. 34 (3) of the GDPR).