How a company should behave if suffering a Data Breach, according to the new General Data Protection Regulation (GDPR)? How should it do it and in which time? What are the liabilities and what sanction does it incur in if it does not behave accordingly?

We had a “Word of the Day” about Data Breaches recently, and our curiosity about the topic arose quickly on what a company should do, also from a juridical perspective, in case it is victim of an IT violation and what are its liabilities according to European Regulation 2016/679 which will become effective in a few months and it’s worth preparing for it. 

Security of personal data -ie “any information relating to an identified or identifiable natural person” (art.4, par.1, n.1)- is considered by the European Regulation a primary commitment of the subject treating such data, in accordance wiht the principle of “accountability”. Indeed, art.32 specifies that the owner and the responsible of the treatment must employ adequate technical and organizational measures in order to guarantee an adequate security level to risk, still taking into account the state of the art and costs, the nature, object, contexts and aims of the treatment, as well as the risks of different probabilities and gravity for rights and liberties of natural persons.
The norm precises that, when evaluating this security level, we must consider risks derived to destruction, loss, modification, unauthorized diffusion or access -be it accidental or purposely- to personal data.

So, what is a Data Breach according to the Regulation?
Art.4, par.1, n.12, defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

What should a company do in case of a Data Breach?
A new obligation of notifying the data breach subsists, which is not expected by the previous European Directive 95/46 on privacy. 

Who is the subject deputed to such communication, and who is the recipient? What are its characteristics?
Norms calls that the obligation of notification being a responsibility of the owner of the treatment, ie. “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (art.4, par.1, n.7).
The regulation, as for other profiles, distinguishes two hypothesis: let’s see the premises and what to do.

The first case is disciplined by art.33 which imposes the notification of the violation of personal data to the national control Authority in charge without an unnecessary delay, and, if possible, within 72 hours from the moment of acknowledgment, unless it’s unlikely that the violation has a risk in terms of rights and liberties of natural persons. If the notification is not within 72 hours, it must be supplied with reasons about the delay.

The norm also calls for the minimum content that the Supervisory Authority must be provided with:

1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
3. describe the likely consequences of the personal data breach;
4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The following article, art.34, considers another obligation of data breach notification to the subject involved, “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”. The norm also considers that the communication must happen without undue delay and must describe, with a clear and easy language, the nature of the violation and contain at least the information described at letters b), c) and d) of the aforementioned article 33.
Verily, the norm states that the owner of data could be exempt from communicating to the subject if incurring in one of the following conditions:

• has applied all adequate technical and organizational measures to protect data and such measures has been applied to personal data object of the breach (ie encryption);
• has adopted further measures in order to prevent an high risk for rights and liberties of the involves persons;
• communication would require excessive efforts (in this case a single public communication can be done).

 

What are the fines one is to expect in case of violating the obligation of notification?
Infringements of provisions if heavily sanctioned by the Regulation: administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (art. 83, par.4).
Additionally, art.82 states that, in general, “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”, unless said controller or processor can prove the damaging event is not to be ascribed to him.

In conclusion, the compliances following a data breach are not easy by no means at all or easy to apply, and fines might be very severe. Therefore it’s way better to act in a preventive way, thus improving every security measure: as always, prevention is better than the cure.