Last week, the Office of the Information and Data Protection Commissioner (“IDPC”) launched an investigation into a leak of a large volume of personal data by a local IT company. But what is a “data breach” and when do the obligations to notify kick in?
A controller of personal data is bound to implement organisational and technical measures to ensure that by default only personal data which is necessary for each specific purpose of the processing are processed, and that personal data is not made accessible without the individual’s intervention to an indefinite number of persons. This means that systems need to have data protection by design. But even with systems in place, data breaches may occur. This may be due to a cyber or ransomware attack, but also when an employee sends personal information to the wrong person, or when a device, such as a laptop, that contains personal information is lost. When personal data is breached, then the controller needs to consider its compliance requirements.
Article 4 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. When a data breach occurs, Article 33 of the GDPR requires a data controller to notify the supervisory authority (which in Malta is the IDPC) without undue delay and, not later than 72 hours after having become aware of it. The notification may be done online on the IDPC’s website. Where a data breach is of high risk to data subjects, the controller must also notify the affected data subjects. The notification may not be required in those cases where the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
The Article 29 Working Party adopted “Guidelines on Personal data breach notification under Regulation 2016/679” in February 2018, which could assist the controller on how to manage a data breach notification. To ensure adherence to these obligations, it is important for data controllers to have a Data Protection Officer (either in-house or contracted) and have adequate processes in place between them and their processors to ensure that a data breach is adequately reported, to assess the breach and adhere to the notification requirements within the legal timeframe.