The European Union’s (EU) General Data Protection Regulation (GDPR) is now in effect and applies to any data controller or processor - wherever they are located - who supply goods or services to data subjects within the EU. U.S. based companies who fall within GDPR’s purview must understand its data breach response requirements and incorporate its standards into their incident response policies and procedures.
Under GDPR, the data controller is the person or entity who “determines the purposes and means” of the processing of personal data. The data processor is the person or entity that processes personal data on behalf of the controller. “Processing” has an extremely broad definition under GDPR, encompassing virtually any interaction with personal data. The data subject is always a natural person, not a corporation or other entity. In a typical case, the company is the controller, the service provider is the processor and the company’s individual employees, contactors, customers and agents are the data subjects.
The following describes four key concepts under the regulation and how they differ from similar concepts under US law.
The definition of “personal data” is broader under GDPR than under current US law. Personal data is defined by GDPR to mean “any information relating to an identified or identifiable natural person…” By contrast, many U.S. state data breach laws define the data covered by the data breach notification requirement in a more limited way, for example, as only first name or initial and last name, plus some kind of specific identification or account number, or access code, as well as user name or email address, in combination with a password or security question and answer. (See, e.g., Cal. Civ. Code §1798.82.)
Under GDPR, not only is more data subject to breach notification requirements, but the circumstances to which notification applies is broader. GDPR defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data”. The Article 29 Working Party’s Guidelines (“Guidelines”) add that this includes even an incident that results in personal data being only temporarily lost or unavailable. By contrast, most U.S. state data breach laws cover only the “unauthorized” loss, access or disclosure of personal data.
Article 33(1) states that a personal data breach must be reported “without undue delay” and “where feasible,” not later than 72 hours after the controller has become aware of it. The Guidelines indicates that the controller becomes aware of a data breach when it has “a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.”
The Guidelines do note, however, that controllers, upon learning of a potential breach, are permitted a “short period of investigation” to determine whether or not a breach has actually occurred, during which time the controller does not qualify as “aware.”
Controllers are exempted from the notification requirement only if they can show that the breach “is unlikely to result in a risk to the rights and freedoms of natural persons.” Processors are not subject to the 72-hour requirement and are only required to notify controllers “without undue delay” upon discovering a breach. Recital 87 states that “the fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject.”
U.S. state data breach laws are not uniform in imposing breach notification timelines. For example, New Mexico, the most recent state to enact a breach notification law, mandates that businesses have 45 days to issue notifications once a data breach is discovered, but only if 1,000 or more of the state’s residents are affected. See NM Stat § 57-12C-6 (2017).
EU Member States must establish a supervisory authority to be “responsible for monitoring the application” of GDPR. Article 33(1) requires any personal data breach to be reported in the first instance to the “supervisory authority competent in accordance with Article 55.”
By contrast, some U.S. state data breach laws require notice to the state Attorney General’s office, not in the first instance, but only if the data breach impacts a material number of data subjects. See, e.g., Cal. Civ. Code §1798.82 (f) (500 California residents). Government notification is not generally required in Texas, Oklahoma, Kansas, Arkansas or Kentucky, among other states. However, if you are covered by the HIPAA Breach Notification Rule, you must notify the Department of Health and Human Services and in some cases, the media.
Under Article 34, in those cases where the personal data breach is likely to result in a high risk for the rights and freedoms of these individuals, controllers must notify affected individuals without undue delay. The notification to the data subjects must include the name and contact details of the data protection officer or another contact point where data subjects can obtain more information on the breach.
Under Article 33, the notice must include the following information:
In addition, in clear and plain language, the notification under GDPR must provide a description of the likely consequences of the breach and the measures taken or proposed to be taken to address the breach.
By contrast, many state data breach laws do not impose specific notice requirements, or do not require notification if an investigation determines that there is no reasonable likelihood that the affected individuals will be caused harm. See Alaska, Arkansas, Connecticut, Iowa, Louisiana, Mississippi, Oregon.
The security breach notification process under GDPR is difficult to navigate. Given its burdens and complexity, it is more important than ever for data controllers and processors of EU personal data to introduce technical controls to prevent, detect and monitor computer systems for the loss of or unauthorized access to personal data.