Top tips for notifying breaches to regulators under GDPR
Locations
Notifying personal data breaches to regulators requires a considered approach. In the heat of the moment, particularly when there is a 72 hour clock counting down, it is all too easy to make costly mistakes.
Here are our top five tips for navigating the many pitfalls of a breach notification.
1. Notify the right regulator
Identifying the right regulator to notify can be confusing, particularly if the incident affects individuals in multiple countries. If your organisation has identified a lead supervisory authority for GDPR purposes this can make life simpler, i.e. you can notify the lead supervisory authority (although there may be reasons why you would still wish to notify a regulator in another country in order to mitigate risk).
If no lead supervisory authority has been identified, or if in doubt about who the lead supervisory authority would be, the European Data Protection Board recommends notifying at least the authority where the breach has taken place. This implies that you can notify a shortlist of regulators and that there is no need to notify every single regulator for countries where individuals may be located.
The shortlist should be considered carefully. A common factor taken into account includes location of the highest number of data subjects impacted. A less obvious factor that you should take into account is the likelihood of a breach being brought to a particular regulator's attention by other means, e.g. inappropriate processor notifications.
As well as data protection supervisory authorities, other regulators (such as those responsible for particular industries like financial services) or bodies (such as insurers), may need to be notified. It is a good idea to include a checklist of entities you may need to notify in your breach handling plans.
2. Prevent inappropriate processor notifications
It is not unheard of that processors race off to regulators to make a notification.
Processors are not required to notify personal data breaches to regulators or to data subjects. The GDPR requires them to notify the controller. It is then for the controller to assess whether an incident is a notifiable breach and to make that notification - if necessary.
Build obligations into contracts that processors notify you, the controller, of breaches without undue delay (this is a statutory obligation on processors in any event). Do not rely on this alone though. It is a good idea also to include a prohibition on a processor disclosing the fact that there has been a breach to any third party and, for incidents involving processors, to make sure the processor understands they are not to shoot off notifications other than to you the controller.
3. Use the correct form
Do not assume the form you used last time you notified a breach is still up to date. Regulators may update their breach notification forms. Make sure you use the latest and bear in mind that some of them have limits on the number of characters that can be included in a response. It is a good idea to understand in advance what information is required on the forms for countries in which you are likely to have to notify. Doing so means that you can ask the right questions early on.
4. Don’t rush into a 'bad' notification
Not notifying a personal data breach within the GDPR prescribed time limits is in itself a breach of the GDPR. This adds a lot of additional pressure in an already pressurised situation. Do not let this result in a panicked notification that does the organisation no favours at all.
Remember that you can make a staged notification. So, don't be afraid to indicate that you will follow-up with further information once it becomes available.
5. Ensure that you follow through on your commitments
In some cases, notification will necessarily involve making commitments to plugging certain compliance gaps, e.g. by way of further training, implementation of policies and procedures etc. In some cases, the regulator will mandate certain compliance measures. However, it makes sense to be on the front foot in identifying those gaps and committing to address them, ideally within a stated timeframe. However, you need to ensure that you are in a position to follow through on those commitments.