Irish DPA Issues GDPR Breach Notification Guidelines

The Irish Data Protection Authority (Irish DPA) has released a guide to GDPR breach notifications to help controllers understand their obligations under the EU privacy law which went into effect in May 2018.

The Irish DPA outlines the two primary obligations under the General Data Protection Regulation (GDPR) for breach notifications as (1) notification to the Irish DPA of any personal data breach unless it can demonstrate it is unlikely to result in any risk to data subjects; and (2) communication with data subjects about the breach where it is likely to result in high risk to them.

The overview of the breach notification guidance also makes clear that controllers have obligations under Article 5(2) and Article 33(5) to document all personal data breaches in order to be able to demonstrate compliance. This includes the facts around the breach, the effects and the remedial steps taken by the organization.

The guidance defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data (defined as any information concerning or relating to an identified or identifiable individual). It includes accidents, deliberate acts, encryption by ransomware, actions without proper authorization, and certain other cases where personal data is lost, destroyed, corrupted or illegitimately disclosed.

As for notification to the Irish DPA, it makes clear that the default is to notify the Irish DPA unless the controller has assessed the breach as unlikely to present any risk to data subjects and they can show why they reached this conclusion. For all breaches, even where it does not notify the DPC, it must record the Article 33(5) requirements, including the basic details, the assessment of it, the effects and the response steps.

When a controller has a reasonable degree of certainty that a security incident has occurred and compromised personal data, which might result in any risk to data subjects, the Irish DPA must be notified without undue delay, and no later than 72 hours from when the controller became aware. As part of the recordkeeping requirements, controllers need to have documentation around it, as well as an adequate system in place for documenting the awareness and assessment of breaches. If a data processor has a personal data breach, they should notify their data controller without undue delay.

Notifications to the Irish DPA can be done through their website and must include the nature of the breach, the name and contact details of the DPO or contact point, the likely consequences of the breach, and the measures taken or proposed to address it and mitigate the possible effects. The Irish DPA also recommends the initial notification contain information on how and when they became aware of the breach, and if applicable, an explanation for any delay.

The guidance establishes a higher threshold for notification to data subjects, but indicates that a controller can communicate to data subjects about a breach even if there is no legal obligation to do so due to the circumstances around that particular breach. Where an organization notifies individuals, it should use clear and plain language, describe the nature of the breach, make recommendations on how to mitigate adverse effects, provide the name and contact details of the DPO / contact point, provide a description of the likely consequence, and the measures to be taken or proposed by the controller to address it.