Data breach: what to do?

What is a data breach?

A personal data breach is defined in Article 4.12 of the GDPR as an accidental or unlawful breach of security resulting in the destruction, loss, alteration, disclosure or unauthorised access to personal data transmitted, stored or processed.

What obligations in the event of a data breach?

There are three main obligations in the event of a data breach:

• Maintain a record of breaches.
• Notify the violation to the CNIL.
• Inform the individuals affected by the breach.

First obligation: maintain a record of data breaches.

This obligation must be fulfilled regardless of the level of risk incurred by the violation.

Following a data breach, the data controller must record within a register the facts concerning the breach, its effects, as well as the measures taken to remedy the breach. This allows the data controller to demonstrate compliance with its obligations in this area during a potential inspection by the data protection authority (CNIL).

The data controller may record all relevant information regarding the breach, however the register must absolutely contain the following elements:

• The nature of the breach
• The categories and approximate number of persons concerned.
• The categories and approximate number of records concerned.
• The likely consequences of the breach.

The measures taken to remedy the breach and, where applicable, to limit the negative consequences of the breach.

If applicable, the justification for the absence of notification to the CNIL or information to the data subjects.

Second obligation: to notify the data breach to the CNIL (or any other competent authority).

This second obligation must be observed where there is a risk or high risk involved for the persons concerned.

Indeed, a data breach may entail a risk of infringement of the rights and freedoms of individuals, notably a breach of private life. Therefore, pursuant to Article 33.1 of the GDPR, breaches of data which may entail risks or high risks to the rights and freedoms of individuals must be reported to the supervisory authority (CNIL).

What must the data controller notify to the CNIL?

• The nature of the breach (affecting the integrity, confidentiality, or availability of the data);
• The categories and approximate number of individuals concerned;
• The categories and approximate number of records concerned;
• The likely consequences of the breach;
• The contact details for the person to contact (DPO or other);
• The measures taken to remedy the breach and to limit its negative consequences.

When must the incident be reported to the CNIL?

The data controller must notify the data breach to the CNIL within the shortest possible time, within a maximum of 72 hours after becoming aware of the breach.

The data controller’s awareness of a data breach constitutes the starting point of the 72-hour period. The data controller’s awareness of the breach corresponds to the moment when the data controller has a reasonable certainty that an incident has occurred and involves personal data. This reasonable certainty can be established by the data controller after having taken detection of breaches and investigations measures.

Note: It is possible to issue a two-stage notification if the data controller does not have all the required information within the 72-hour period.

• A preliminary notice is established within a period of 72 hours after detection of the violation.
• Despite exceeding the 72-hour deadline, a notification must nevertheless be made, but reasons for the delay must be explained/justified.
• A supplementary notification must be made as soon as additional information is available.

In practice, the data controller must exercise foresight to avoid resorting to a two-stage notification.

How to notify the CNIL?

The public or private data controller who wishes to notify the CNIL of a data breach must use the online notification service: https://notifications.cnil.fr/notifications/index

Focus: the powers of the French CNIL regarding data breaches.

In the event of a data breach, the CNIL plays a role in assisting data controllers by providing potential advice and observations regarding security measures to terminate the breach and/or its effects.

The CNIL may also conduct an assessment as to whether or not individuals concerned need to be informed, or provide recommendations on the matter.

The CNIL also has a role in overseeing compliance with the obligations of the data controller: namely, it can monitor the obligations incumbent upon the data controller, including the maintenance of the breach register, the verification of the risk level, compliance with deadlines, or the content of notifications. It can therefore sanction any breach of one or more of these obligations.

Third obligation: to inform the affected individuals if there is a data breach.

This third obligation must be observed where there is a high risk involved for the persons concerned.

In case of a high risk to the rights and freedoms of a data subject resulting from a breach, the person shall be notified in clear and precise terms, the following elements:

• The nature of the breach;
• The likely consequences of the breach;
• The contact details for the person to contact (DPO or other);
• The measures taken to remedy the breach and, where applicable, to limit the negative consequences of the breach.

Note: This notification must also, if necessary, be supplemented with recommendations and precautionary measures intended for the affected individual, in order to mitigate any potential effects of the breach. For example, password changes or requesting a backup of the data on a personal support medium are relevant recommendations.

There exist exceptions to the obligation to inform the persons concerned in the cases where:

• The personal data concerned are protected by appropriate technical and organizational measures (encryption, uncompromised key etc…) and are unintelligible to anyone who does not have authorization to access them.
• The data controller has taken measures that ensure the high risk is no longer likely to materialize.
• Notifying the breach to the affected individuals requires disproportionate efforts, particularly if the data controller has no means to contact the concerned person. However, the data controller may make a public communication to inform the concerned person or persons.

How to assess the degree of risk of a data breach?

The three main obligations concerning data breaches – maintaining a breach register, notifying the CNIL of the breach, and informing the affected individuals – are applicable depending on the level of risk associated with the data breach (low risk, medium risk, or high risk).

The data controller must therefore assess the level of risk according to the following elements:

• The type of breach (affecting integrity, confidentiality, or availability of data).
• The nature, sensitivity, and volume of personal data concerned.
• The ease of identifying the affected individuals.
• The possible consequences for individuals.
• These characteristics of these individuals (children, vulnerable persons, etc.)
• The number of individuals concerned.
• The characteristics of the data controller (nature, role, activities).

Note: A notification to the CNIL will not be necessary in cases where a disclosure following a breach relates to data that has already been made public or is within the context of the deletion of data backed up and restored immediately etc…

Data protection specialists, Aumans Avocats puts its expertise at your service to secure your projects and support you effectively in the event of a data breach. Turn to our firm for tailored advice and move forward with confidence in your digital development.