The GDPR  Data Breach Notification Obligation

The GDPR Data Breach Notification Obligation

We are starting a series of publications about GDPR. Find out why it matters for everyone.

Iagon Team

According to the Identity Theft Resource Center, a US organization, as of December 6, 2021, there were only 239 data breaches away from breaking the all-time record for data compromises in a single year. However, the increasing problem with data security and the strict regulations regarding data processing in some countries lead to the question: how does the most known privacy framework deal with a data breach?

The General Data Protection Regulation, also known by its acronym, GDPR, imposes several obligations and procedures to controllers who have been victims of a data breach. One particular obligation is the data breach notification obligation, which can be summarized as the duty to make public disclosure and notify the victims when a data breach takes place. This obligation raises several questions, such as: which information should be disclosed and notified? To whom? How should this process be done? When should it take place? And more importantly, how does this help mitigate the effects of the data breach?

First, this obligation takes place whenever a data breach of personal data takes place. Article 4(12) of the GDPR defines a data breach as "The accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed" (EU, 2016).  Whenever a data breach takes place triggers the data breach notification obligation, as stated in Articles 33 and 34.  The first one refers to the duty to notify the data protection authority, and the following one the data subjects.

Regarding the content and time of notification for Article 33. This must include information regarding the nature of the data breach, a description of the possible consequences, and the measures taken to mitigate the effects of the breach (Waesberge & Smedt, 2016). Additionally, Article 33 states that, in the case of a data breach, this shall be notified to the supervisory authority, without undue delay, in a period not longer than 72 hours after the awareness of the breach. Concerning the obligation to the data subject, Article 34 prays that this has to be fulfilled in the case of "likely to result in a high risk to the rights and freedoms of natural persons" (EU, 2016). According to the Articles, these rules apply to the controller and the processor, which should notify the controller without undue delay after becoming aware that a data breach has happened. The obligation to the processor comes since it has to assist the controller in complying with the data breach obligation (Waes-berge & Smedt, 2016). The consequences for not fulfilling these obligations or doing it incorrectly incurs a fine of up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Having understood the elements of the notification and public disclosure obligation elements, let us see how these duties help mitigate data breach problems. First, imposing these obligations as a direct consequence for not fulfilling them can be cataloged as cautionary rather than reactive towards building better cybersecurity measures since they give controllers an ex-ante awareness of possible security risks.

Likewise, other ways in which these obligations can help mitigate data breaches have been discussed. According to Karyda and Mitrou, the notification obligation helps bring transparency to managing a data breach, endorsing the community's right to know (Karyda & Mitrou, 2016), which is a fundamental aspect in the European Union fundamental right convention in Article 8(2). The social benefits of the right to know are intangible and cataloged as the first line of defense regarding data breaches (Arnbak, 2015). The notification obligation also increases the awareness inside organizations, contributing to a better response from the controllers (Nieuwesteeg & Faure, 2018).

By increasing awareness of the controller and allowing a quick response from supervisors, the harm can be reduced and contained, making the notification a fundamental part of the impact assessment and privacy by design (Karyda & Mitrou, 2016), which also fosters cooperation between the victims of a breach and the data authority while giving awareness to individuals for possible claims of damages when a data breach disclosure becomes public (Nieuwesteeg & Faure, 2018). However, the duty of notification could be done inappropriately, making the victim unaware of the breach. According to Ponemon's 2012 study, 36% of the notifications sent to natural persons were received as junk mail, and 13% as email spam, giving us a total of 49% of ineffective notifications (Ponemon Inst, 2012).

The GDPR has some Exceptions to the general rule, situations where the controller does not have to notify the data subjects in case of a data breach. These situations are explained in Article 34 (3) of the GDPR, such as: if the controller has already taken measures to ensure that the risks could no longer materialize, or if the notification would involve disproportionate effort, in which case only a public communication regarding the occurrence of the data breach is needed. Even so, authorities have the right to order the controller to notify the subject (Waesberge & Smedt, 2016).

It is important to highlight the fact that the notification obligation has also been incorporated in other regulations such as Article 4(3) Directive 2002/58/EC, which regulates the data breach notification obligation for telecommunication providers; the Article 19(2) of the EIDAS Regulation 910/2014, which regulates the obligation to disclose breaches of security to certified authorities; and Article 14 (3) NIS (network and information security) Directive 2016/1148, which states the obligation for the essential services to notify to competent authorities in case of attacks. The notification obligation must be taken in many scenarios to ensure mitigation and protection of fundamental rights (Nieuwesteeg & Faure, 2018

Iagon is building a shared storage economy that Bridging decentralization with compliance for Web3.0.

Please follow us on social media and feel free to drop any questions you may have about the project directly in the telegram group.