Since the entry into force of the GDPR, the CNIL has received nearly 800 data breach notifications concerning nearly 34 million natural persons in France and abroad.
In most cases, these violations are caused by a breach of data confidentiality.
While the GDPR requires companies and public bodies to notify the competent administrative authority of personal data breaches, and in some cases even to inform the data subjects, the first months of experience of the GDPR raise operational challenges.
A major and strategic issue, both in terms of sanction risk and image, notification of data breaches requires particular vigilance and the adoption of good practices.
Data breach, key points to deal with:
When to notify the authority?
The materialization of a security breach in an information system does not necessarily constitute a data breach within the meaning of Article 4 of the GDPR. A data breach is characterized by a breach, including simple unauthorized access, of personal data.
However, not all data breaches require notification to the CNIL. To know when it is needed, it is necessary to assess the risk to the rights and freedoms of data subjects.
Article 33 of the GDPR specifies that it is necessary to determine whether the violation is likely to result in a "high" risk to the rights and freedoms of individuals. Otherwise, the controller is not obliged to notify the competent authority of this personal data breach.
This risk will have to be assessed on a case-by-case basis and in particular in the light of the type of violation: violation affecting the integrity, confidentiality or availability of the data, but also the nature, sensitivity and volume of the personal data concerned, the ease of identifying the victims of the violation, the volume of data subjects, their characteristics (children, vulnerable persons) and the possible consequences for them.
In case of doubt, the CNIL recommends to proceed to notification in any case.
The GDPR requires notification as soon as possible and, if possible, no later than 72 hours after becoming aware of the data breach. This is a short and crucial deadline in order to be able to collect all the necessary information for the notification.
The starting point of the time limit is an element to be precisely assessed, in particular in the event that the information concerning the data breach comes from a processor.
For instance, it may be considered that partial information from the processor, which would not allow the materialization of a data breach to be deduced from it, may not constitute the starting point for the 72-hours' time limit.
The integration of this issue into the preparation and negotiation of contracts between controller and processor can in some cases prove to be valuable.
How to notify?
The responsibility for notifying data breaches rests with the controller. However, when notifying, the controller identifies himself and also indicates "whether other companies or organizations are involved in the violation" such as a joint controller and/or one or more processors involved in the data breach.
In France, the CNIL provides a dedicated form on its website to notify any personal data breach.
This is a potential gradual system built by the authority making it possible to proceed initially to an "initial notification" which will have to be completed without undue delay by a "complementary notification".
In practice, it is often impossible to provide an exhaustive overview of the observed data breach in 72 hours, particularly when it results from an act of external malicious intent and when cybersecurity verification requirements do not always allow to respond quickly. Completing the notification form will necessarily require the involvement of different actors/services within the company and coordination will again be a crucial step.
To address the operational and organizational challenges arising from the occurrence of a data breach and the regulatory obligations attached to it, it may be recommended to set up and upstream, a dedicated operating mode based on the model of crisis management cells.
Where the processing of personal data concerned by the breach constitutes cross-border processing in the European Union, the question of the competent authority to which the notification should be made, must necessarily be addressed.
In the case of processing operations, the competent authority in the territory where the controller is established must be notified. However, the designation of a lead supervisory authority could reshuffle the cards.
The cross-border co-responsibility for a processing operation will entail the almost systematic need to notify the data breach to both competent authorities.
Communicate with the data subjects?
The obligation to notify the supervisory authority of a data breach does not systematically imply the obligation to notify the natural persons who have been targeted.
Article 34 of the GDPR provides that data subjects must be informed without undue delay "when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons".
Communication to the data subjects is therefore conditioned by the existence of a high risk to their rights and freedoms.
In addition, the GDPR also provides for exceptions to the principle of communication to data subjects, in particular where the personal data affected by the violation are secured by appropriate technical and organizational protection measures such as an encryption method or where the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
Similarly, where communication of the violation to data subjects would involve disproportionate effort or where such communication could represent a risk to national security, national defense or public security, communication to the data subjects is not required.
The interpretation of these exceptions remains relatively abstract to date. In addition, the coverage of their scope leaves a sufficiently wide room for interpretation to allow in many cases to consider the absence of an obligation to inform the data subjects of the violation.
In France, the CNIL will be very vigilant in assessing and implementing this obligation in the event of a data breach. In particular, the notification form to the authority requires in particular to indicate whether this notification has been made or is intended to be made.
As a challenge and a source of considerable risks for the company, the content of communication to data subjects, and particularly its form, while incorporating the information required by the GDPR, must be strategically developed.
It is important to remember that in addition to the notification and communication obligations, there is also the obligation to document these incidents and the information relating to their management. It is therefore necessary to keep a register of data breaches.
As a challenge and a source of considerable risks for the company, anticipation in the treatment of these violations and the establishment of a crisis management arsenal are certainly essential keys.