The Article 29 Working Party has recently published updated guidance on the Personal Data Breach notification rules in Articles 33 and 34 of the General Data Protection Regulation (GDPR). The original version was published on 3rd October 2017.
The most illuminating part of the update concerns the requirement for organisations to put in place incident detection technologies, which can ‘immediately’ detect whether a security incident has occurred. This obligation is set out in Recital 87. As well as helping with the actual management of the incident, the requirement is significant because it can crystallise the beginning of the time period for giving notice to the regulators. The time period is "without undue delay", commencing from the moment of becoming 'aware' of an incident, which is subject to a 72 hour long stop.
The guidance recognises that the controller may undertake a 'short period' of investigation in order to establish whether or not a breach has in fact occurred and, during this period, the controller may not be regarded as 'aware'. However, it is clear that this investigation should begin as soon as possible and, if good quality incident detection technologies are in place, it should commence from the exact moment that the detection technologies deliver an alert. The ramifications are very significant in both an operational and a legal sense.
Of course, notification to the regulators and then to the individuals affected is contingent upon the security incident causing a risk to the rights and freedoms of individuals. The guidance starts to close an important loophole, because controllers might argue that they are not fixed with an understanding of these risks in the immediate aftermath of the incident, which would give them an argument to push out the notification obligation past 72 hours. The loophole is addressed by a requirement for an impact analysis to begin at the moment of a suspicion arising that personal data might be impacted. In the usual course of events, that suspicion should be close to, or almost synchronous with, the point of incident detection. Moreover, the post-event impact analysis should be bolstered by the pre-event security impact analysis that was done for the purposes of Articles 24 and 35. In other words, the updated guidance reduces the wiggle room for obfuscation that some organisations might have relied upon to buy themselves more time.
Connected to this, the guidance says that data processors do not have to carry out impact assessments before notifying controllers of incidents. This prevents prevarication, thereby speeding up the entire process. Moreover, processors cannot wait to notify controllers until they have all of the facts: they have to notify immediately on incident detection, even if that means notifying in stages. To nail things down even further, the guidance requires controllers and processors to identify their responsibilities for incident detection and response in the Article 28 contracts that govern their relationships.