The General Data Protection Regulation 2016/679, or simply the GDPR, has been in force for just over 3 years. By now most people have become acquainted with it in one way or another. Many will have also become aware of some of the more high profile fines imposed by Data Protection Authorities for personal data breaches under the GDPR such as the substantial € 22,046,000 on British Airways or € 20,450,000 on Marriott.
Briefly, a personal data breach occurs when transmission, storage or other processing of personal data results in the destruction, loss, alteration, unauthorised disclosure of or access to it, due to a breach of data security regulations. However, dealing with the consequences of data breaches is only part of the challenge data controllers faces. The subsequent challenge is to manage the breach appropriately and comply with reporting duties.
Reporting obligation
The GDPR imposes not only a reporting duty on data controllers, but also requires action within a specified time frame. Article 33 (1) GDPR provides data controllers with a window of 72h to report a personal data breach to the relevant DPA in their Member State. In certain circumstances, they may also need to notify the affected data subjects. If the reporting duty is not carried out in a timely manner, the controller risks receiving a fine,- due to the breach of the above-mentioned article -, possibly on top of the punishment for the original breach.
Polish DPA’s approach
The Polish DPA, UODO, has imposed several fines in the past onto entities who did not comply with the specified reporting duties. Unfortunately, these show that non-compliance can be a costly affair for businesses. The Polish energy company Enea was fined 136,437 PLN (around € 30,242) for a failure to report a breach to the UODO. The authority received information about the personal data protection breach from an unauthorised email recipient with an unencrypted, non-password protected attachment containing the personal data of several hundred people. While reporting a breach in 72h can be a true stress test for the company’s incident response team, a complete failure to report can raise serious questions about the data controller’s accountability. What is more, authorities may see it as an aggravating factor when calculating the fine.
Other entities fined by the Polish DPA for their late reporting of incidents include the renowned university Śląski Uniwersytet Medyczny (25,000 PLN or around € 5,541), insurance company TUiR WARTA S.A (85,588 PLN or around € 18,971) and the Polish media and telecom giant Cyfrowy Polsat (1,136,975 PLN or around € 252,019). The latter is the most recent and by far the most costly Polish affair of this kind to date. The breach involved hundreds of lost, stolen or misdelivered packages by the company’s contracted courier containing clients’ personal data. Polsat was late in reporting these repeated incidents to the UODO. Additionally, there was a 2 to 3-month delay in notifying data subjects affected by the leak, raising the risk of the misuse of their data by third parties.
How do other European DPAs treat late reporting?
As the GDPR is directly effective in all EU states, the approach to breaches under its articles should be uniform, or at the very least, similar, across its jurisdiction. Late reporting of personal data breaches under article 33 (1) is no different. It is uniformly considered an aggravating factor in the calculations of the final sum of the fine imposed on a data controller.
Why is it important to report in time?
Perhaps the most infamous example of the consequences of late reporting is that of Booking.com, headquartered in the Netherlands. The company was 22 days late in reporting a breach to the Dutch authority (AP), and this lack of effective breach management cost them € 475,000. However, the true cost of the late reporting is not the financial one incurred by Booking.com, but rather the one borne by over 4,000 affected customers whose data was compromised.
Per the AP’s report, during the breach, criminals accessed the personal data of thousands of Booking.com’s customers in UAE hotels. AP deputy chair, Monique Verdier, explains that ‘Taking rapid action is essential, not least for the victims of the breach. After receiving a report the DPA can order a company to immediately warn those affected. This can prevent criminals from having weeks in which to attempt to defraud customers. The report also highlights the high risk of theft that arises from such data leaks. Even if the personal data accessed by attackers would not on its own pose a high risk for theft, it may be used to extract more data through phishing scams. Hence, it is crucial to note that the relatively small 72h window for reporting allows preventing future harm and attacks on affected data subjects.
How large are fines for late reporting?
Under the assumptions of the GDPR, imposed fines are meant to be effective, proportionate and dissuasive in character. However, depending on the facts of the case, size of the company or annual turnover, these numbers may significantly vary to the extent that it is not possible to provide a rough estimation of the cost. This is exemplified by the range of previous fines imposed, from € 5,541 on Śląski Uniwersytet Medyczny, to € 600,000 (out of which € 100,000 was purely for the late reporting) on the Spanish airline Air Europa Lineas Aereas, SA. Generally, fines can measure up to € 20 million or 4% of annual global turnover of the culpable company.
How to avoid late reporting fines?
Whereas breaches can happen everywhere, and unfortunately may be impossible to avoid even if preventative measures are in place, late reporting is completely avoidable.
Since the risk of data loss is increasing as new technologies develop, the rising wave of reports of data security breaches and cyberattacks should not come as a surprise to anybody. Incidents of this kind are becoming more common and more expensive to handle. Hence, it is crucial for organisations to implement technical and organisational safeguards against personal data breaches. If nonetheless, a breach happens, entities must react promptly and effectively to minimize the risk of fraudulent exploitation of affected data subjects’ personal information, as well as to prevent phishing attacks and theft.
There are several steps to complete in those first 72h, but following them within the time frame can be, without a doubt, a considerable challenge to data controllers. In sum, companies must perform the following tasks within 72h of being notified of the breach:
- Stage 1: Establish the facts concerning the breach
- Stage 2: Identify the risk level
- Stage 3: Notify the DPA and affected data subjects if necessary
- Stage 4: Develop a recovery plan and prepare appropriate documentation
Circumstances in which late reporting is allowed
While the 72h reporting window applies in most scenarios, delayed notifications are allowed in certain exceptional situations specified by the Article 29 Data Protection Working Party guidelines. These include, in particular, situations where the controller is not able to notify a breach e.g. due to multiple, similar confidentiality breaches over a short period of time, affecting large numbers of data subjects in the same way. It is also possible to submit reports in phases. These are, however, exceptions and late reports must be accompanied by reasoning for the delay and should not be seen as a regular occurrence.
Proposed incident management support – Data Breach Management Tool (DBMT)
Privacy Optimization has created an automatic tool to help companies manage the process of reacting to data breaches. Factors such as a lack of awareness of the reporting process, the complexity of the procedures, limited technologies or resources, and lack of clear guidelines and evaluation criteria for incident reporting can often make it difficult for companies to comply with the tight time frame.
The DBMT makes this process clear, quick and easy. DBMT allows straightforward monitoring and coordination of incident/data breach investigations in a consistent manner. The Tool automatically assesses the risk of an event using a quantitative approach to measure the risk of a data breach, based on an algorithm developed by our privacy experts. Therefore, the client is provided with an objective and reliable risk report in a matter of seconds. Keeping a comprehensive overview of the real-time status of data events and GDPR compliance has also been made simple by the user-friendly and intuitive Dashboard feature. Additionally, our Privacy Optimization team is always on hand to assist clients, especially when instant assistance is required to tackle data emergencies.