Last updated: 
2 months 4 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Breach Notification and the GDPR

Monday, February 8, 2016 - 11:21

[this article is based on the draft text published by the European Council on 28th January 2016. Recital and article numbers, at least, will change before the final text]

The final version of the Data Protection Regulation's breach notification proposals has addressed many of my concerns with the original draft. Rather than applying the same rules to all breaches, notification is now concentrated on those where it will have most benefit: breaches likely to have a serious impact and those where prompt action by individuals can reduce the likely harm. The timescales for notification are more realistic, though they will still demand a swift and well-organised response by organisations that suffer incidents. Finally Article 79 gives a hint that reporting breaches and cooperating with the regulator should be recognised in any sanctions that may be applied – a useful incentive.

The Regulation takes a broad view of the harm that may be caused by a breach of information security, recognising the possibility that individuals may suffer "physical, material or moral" damage (recital 67) if their personal data are not taken proper care of. According to Article 4(9) breaches include "accidental or unlawful destruction, loss, alteration", not just unauthorised disclosure of, or access to, personal data. Breaches that create a "risk for the rights and freedoms of individuals" need to be reported to the regulator "without undue delay" and an explanation must be provided if this takes more than 72 hours from the time the breach was discovered (Article 31). However there is a recognition in Article 31(3a) that it may take longer than this to determine the extent of a breach, so information such as the categories and numbers of affected data subjects and records may be provided in stages. The nature of the breach, likely consequences and steps taken and proposed by the data controller also need to be reported. There is also an explicit requirement on data processors to notify data controllers of any breach they experience (Article 31(2)). Whether or not they are reported, organisations need to keep a record of all breaches affecting personal data and how they responded (Article 31(4)).

Where a breach is likely to create a high risk to individuals – Recital 67a suggests this should be determined in cooperation with the regulator – then the affected individuals should also be notified (Article 32). No fixed timescale for this notification is given, though the Recital appears to recognise  that notification is more urgent when it will enable individuals to do something to protect themselves. Information about such actions should be included in the notification. For situations where the data controller is unable to contact individuals or this would require disproportionate effort Article 32(3)(c) allows a public notice to be used instead.

The new Regulation, like sector-specific provisions in other European laws, is a welcome recognition that, in an environment where all organisations are under attack, notification is best used as a tool to help reduce the number and impact of privacy breaches, rather than to "name-and-shame" organisations that try to help their customers and peers. If punishment is required, that should be done using other powers in the Regulation.