On November 28, 2017, the Article 29 Working Party (WP29) closed its public consultation period for WP250, guidance issued by the European advisory body on personal data breach notifications to supervisory authorities and data subjects under the GDPR.
This guidance was hotly anticipated, as the GDPR not only imposes new challenges in notification compliance (a 72 hour notification timeframe, potential fines up to 4% of global turnover, a fast-approaching May 2018 enforcement date), but is also somewhat ambiguous regarding triggers for data breach notification. The consultation period was intended to give the public a chance to provide comments, request clarification, and suggest alternative language for consideration.
At RADAR, we have a unique vantage point rooted in the opportunities and challenges of operationalizing compliance with breach notification laws. The public comments submitted by myself along with my colleagues Alex Wall and Kelly Burg (available here in PDF format) represent the collective knowledge from years of innovation and automation in incident risk quantification and response.
When reviewing WP250 guidance, we identified a key area of concern around specificity and clarity of terminology. Because the GDPR creates new regulatory obligations for many organizations that are already subject to US data breach notification laws, it is imperative that these organizations pay careful attention to the terminology and definitions found in the GDPR and how different or similar they are to the terminology and definitions found in US law. Understanding these differences or similarities is essential for GDPR compliance, and our intent in providing these public comments was to help establish clear, specific, and practical guidelines to allow for consistency and proof of compliance with GDPR.
Key Terms Requiring Further Clarification from Working Party 29
The specific definition of terms used in the GDPR and associated WP29 guidelines can have significant impact on how entities operationalize their compliance efforts. Understanding what constitutes data breach, having become aware, and short period of investigation is critical to knowing whether the incident you’re assessing requires notification and when the notification obligation begins. Because enforcement of the GDPR will hinge on the definition of such terms, they must be clarified so that controllers and processors can ensure compliance and avoid penalties and fines.
Become aware: You’ll find this phrase in Recital 85 and Article 33 of the GDPR, indicating when the clock starts ticking on the 72-hour timeline for notifying a supervisory authority in the event of a breach. Article 33 states that “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.” Given this extremely tight notification timeline, the specific definition of what it means to become aware of a data breach becomes much more critical and debatable. The WP250 guidance is generally clear that a short period of investigation may be undertaken to determine whether a security breach involving personal data has taken place. Once this determination has been made, the controller has become aware. The confusion in the guidance comes from just six words found on page 9 – conflicting language that indicates that the short period of investigation may be undertaken to determine both whether a breach has occurred “and the possible consequences for individuals.” In effect, the guidance contradicts itself by indicating that a risk assessment to determine possible adverse consequences to individuals is a threshold to becoming aware.
RADAR recommendation to WP29: revise contradictory language to preserve the clarity found throughout most of the guidance that awareness is independent of the determination of the level of risk posed by the breach, but rather occurs at the moment a controller learns that the breach involves personal data.
Data breach: Under the GDPR, the term data breach refers to any security incident involving personal data, whether notifiable or not and regardless of the outcome of the risk assessment. Under most US laws, the definition of a data breach typically incorporates a harm standard, meaning that not every security incident involving personal data is a data breach, unless it crosses a harm threshold or certain allowable exceptions are not met. This distinction will be important to note or to reconcile for organizations who are both working to comply with the GDPR and are subject to US data breach laws.
Short period of investigation: The term short period of investigation is used in WP250 to describe the circumstances that may lead to a controller becoming aware of a data breach: “After first being informed of a potential breach...the controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation the controller may not be regarded as being ‘aware.’ ” Contrary to this language is one instance in the guidelines that explicitly states what constitutes a short investigation. Under the heading “Examples of personal data breaches and who to notify,” we find the following language in example v.: “The controller undertakes a short investigation (i.e. completed within 24 hours) and establishes with a reasonable confidence that a personal data breach has occurred…” Referencing this example, should we understand the definition of short period of investigation to be no longer than 24 hours? The lack of clarity on this point opens the door to inconsistent interpretation and actions that may not be in agreement with the intent of the WP29.
RADAR recommendation to WP29: consolidate the reference to a short investigation as “completed within 24 hours” with other sections in the guidelines that discuss timeliness so that the guidelines are coherent and it is clear to the reader what is a reasonable interpretation of “short period of investigation.”
Number of individuals when assessing risk vs. high risk: Assessing whether a personal data breach is likely to result in risk or high risk to the rights and freedoms of natural persons will be critical in determining if you must provide notice to supervisory authorities or data subjects. WP250 generally reinforces that the triggers for notification are focused on an evaluation of the likelihood and severity of possible adverse consequences to any individual. The guidance notes that “a breach can have a severe impact on even one individual, depending on the nature and context of the personal data that has been compromised.” Yet, in Section IV.B., we find “the number of affected individuals” included under the heading “Factors to consider when assessing risk.” We also find multiple references to number of individuals in the examples provided under “Examples of personal data breaches and who to notify.” As the number of individuals impacted by a data breach is not related to likelihood or severity of possible adverse consequences to the affected individual, we find that these references are extraneous.
RADAR recommendation to WP29: RADAR recommends removing any references to number of individuals from the guidance where it bears upon the trigger to notify data subjects. Specifically, RADAR suggests removing the paragraph that begins with “the number of affected individuals” in Section IV.B, on page 22. RADAR also recommends removing any references found in Annex B breach notification examples.
RADAR has additionally suggested changes to the examples of risk assessments to further demonstrate how assessment of risk factors contribute to notification decisions, and to remove references to factors that are distracting from the relevant risk factors.
The opportunity to provide comments on key issues related to personal data breach notification under the GDPR is one example of the privacy community working together for the greater good. Echoing the tone set by the ICO myth-busting article series, the GDPR provides for greater transparency in protecting the rights of EU data subjects, and the opportunity to demonstrate your organization’s accountability when it comes to proper governance of protected data.