5 misconceptions about the GDPR data breach notification | by CMS
In 2019, the Dutch Data Protection Authority (DDPA) received 26.956 data breach notifications. The majority of these breaches were notified by organisations active in health sector (mostly hospitals, pharmacies and organisations that perform population studies). Data breaches have a severe financial and social impact on society and on organisations within the healthcare sector in particular, given the sensitive nature of the personal data being processed in this sector. In this article we will clear up five misconceptions regarding the GDPR data breach notification obligation.
Roughly twice a year, the DDPA publishes an overview of data breach notifications in the Netherlands, with the latest overview published in February 2020. These overviews show a yearly increase in data breach notifications. The data protection and privacy team of CMS often provides first response assistance before, during and after a data breach has (potentially) occurred.
A security breach is not always a data breach
A security breach is not always the same as a data breach. The notification obligation, as stipulated by the GDPR, concerns security breaches that have resulted in the access, loss and/or alteration of personal data. This means that the scope of the notification obligation based on the GDPR is not as broad as some organisations think. Also, this underlines the necessity to have adequate logfiles, in order to track whether an unauthorized party actually accessed, deleted or altered the personal data.
Data breaches do not only concern confidentiality breaches
Many notifications to the DDPA concern data breaches caused by human error, such as emails or letters sent to unauthorized recipients. However, (notified) hacking, malware or phishing incidents increased by 25% in 2019. In the healthcare sector alone, this accounted for 13% of all data breaches.
It is important to realize that a data breach can have different impacts. Data breaches can be divided into three categories:
- Confidentiality breach – this is a breach that concerns the unauthorized disclosure of or access to personal data. For example, the incident at the Haga hospital concerned unauthorized access to patient files.
- Integrity breach – this is a breach that concerns the unauthorized alteration of personal data. For example, a cybercriminal hacks a website and changes the administrators’ e-mail address and password.
- Availability breach – this is a breach that concerns the unauthorized loss of access or destruction of personal data. For example, files are encrypted or data is deleted due to a ransomware attack. Even if a back-up of the data exists, the incident qualifies as a data breach.
The term to notify the supervisory authority does not start after the incident occurred
The data controller – e.g. a hospital or pharmacy – is obligated to report a data breach within 72 hours to the supervisory authority. In the Netherlands this is the DDPA. A notification to the DDPA is not necessary when the data breach is unlikely to pose a threat to the rights and freedoms of people. Sometimes, it is argued that the DDPA must be informed about a data breach no later than 72 hours after the incident has occurred. However, the GDPR states that the data controller should notify the supervisory authority “no later than 72 hours after becoming aware of it”. This means that the timeframe of 72 hours could be exceeded in case the data controller did not become aware of the incident directly after it occurred.
Data subjects do not (always) need to be informed within 72 hours
The data controller needs to inform the people involved about the data breach if the data breach is likely to result in a high risk to rights and freedoms of people involved. The initial response period after a possible data breach is commonly hectic considering the multitude of parties involved. Therefore, it is important to know that the GDPR does not stipulate within how many hours the data subjects need to be informed. This means that data subjects do not need to be informed within 72 hours, only the supervisory authority do. However, under special circumstances it is crucial to inform the data subjects even sooner than 72 hours, e.g. in case of hacking a medical device.
The possibility of a preliminary notification
Many organisations do not realize that they could file a so-called preliminary notification. A preliminary notification could be the solution when (a) it is not possible to determine whether a data breach has occurred and whether a notification obligation exists within the 72 hours, or (b) it is not yet possible to provide all the necessary information regarding the data breach. The notification can be withdrawn or completed by the data controller as soon as more information is available.
The next time a (possible) data breach occurs at your organisation please keep in mind the above-mentioned misconceptions in order to adequately resolve the breach. We would be happy to discuss any other issues you might have or your organisation has dealt with or any questions with respect to the GDPR data breach notification obligation.