cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
planois
Newcomer III

Art 29 WP guidelines on data breach notification under the GDPR

Article 29 Working Party recently released its guidelines on personal data breach notification under the GDPR.

 

The guidelines are available here: http://ec.europa.eu/newsroom/document.cfm?doc_id=47741

 

One point I found particularly interesting is that according to the document, not having a backup could trigger the need to notify the supervisory authority in the event of a data breach even if the data is encrypted.

 

"Consequently, if personal data have been made essentially unintelligible to unauthorised parties and where the data are a copy or a backup exists, a confidentiality breach involving properly encrypted personal data may not need to be notified to the supervisory authority. This is because such a breach is unlikely to pose a risk to individuals’ rights and freedoms. This of course means that the individual would not need to be informed either as there is likely no high risk. However, it should be borne in mind that while notification may initially not be required if there is no likely risk to the rights and freedoms of individuals, this may change over time and the risk would have to be re-evaluated. For example, if the key is subsequently found to be compromised, or a vulnerability in the encryption software is exposed, then notification may still be required.


Furthermore, it should be noted that if there is a breach where there are no backups of the encrypted personal data then there will have been an availability breach, which could pose risks to individuals and therefore may require notification. Similarly, where a breach occurs involving the loss of encrypted data, even if a backup of the personal data exists this may still be a reportable breach, depending on the length of time taken to restore the data from that backup and the effect that lack of availability has on individuals. As Article 32(1)(c) states, an important factor of security is the “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.

 

2 Replies
mwapemble
Newcomer II

Well, yes. The definition in Article 4(12) is reasonably specific - this is not just covering a breach of confidentiality:

 

(12) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

 

I would note that a direct English reading of the above terms would also suggest that, say, the accidental deletion of a PII database, even if you could recover it from backup / replica, would still be a "breach". Otherwise, why would they have included both the terms "destruction" and "loss". Unless you meant to separately cover different contexts.

planois
Newcomer III

mwapemble, the definition of what constitutes a data breach is indeed not surprising, however I found the guidelines particularly interesting because they clearly stressed that you can still have a reportable data breach even if the data is encrypted - contrary to what has been written by many consultants. Encryption alone is not enough. Lots of people claim that you just need to have encryption and then you do not need to report any data breach. Here, the Article 29 Working Party went out of its way to say that this reasoning is wrong.

 

Just look at the number of hospitals or organizations who were victims of ransomware or other malware, and how few have actually reported such data breaches. Their argument is to say that there is no data exfiltration or that the data was secured or encrypted, however the simple fact that those organizations were not able to timely restore the systems would under the GDPR require them to report to the data protection authorities within the specified timeframe.