Do the affected (or other*) individuals need to be informed of the data breach?

To assist you in deciding whether to inform affected or other individuals of the data breach, you should:

  • consider the impact of the data breach on the data subjects
  • identify and understand the purpose for informing the subject of the data breach
  • determine whether there is any obligation in the relevant jurisdiction(s) to provide information to affected individuals if they request such information
From a data privacy perspective, the General Data Protection Regulation (expected to come into force early 2018) will apply across the whole of the EU and will generally require data controllers to notify data breaches likely to result in a high risk to affected individuals to those individuals “without undue delay”.

The incident management team should carry out an "impact assessment" to consider the risks of the data breach for affected individuals. You should consider:

  • the sensitivity of the lost data (eg does it involve private details or security/financial account information)?
  • is the lost data protected eg by encryption?
  • do the circumstances of the breach suggest it will be misused?
  • are the individuals particularly vulnerable to abuse of lost data?

If you decide to notify individuals of a breach, notification should have a clear purpose.  Consider relevant contextual factors, such as:

  • are you contractually obliged to notify?
  • what privacy policies or other written representations (if any) have been communicated to affected individuals concerning the data at issue?
  • can notifying assist individuals to mitigate/manage any risk?
  • are there dangers in over-notifying? This may become an issue if the notification would serve no practical purpose, or have a disproportionate impact on the people notified, compared to the likely consequences of the breach. For example:
    • if you have lost only five out of 5000 individuals’ data, but are not sure which five, notifying all 5000 may be disproportionate
    • if the loss caused by the data breach is a corruption of data which can be restored, notice may not be required
    • take care over the form of notification. While this should generally include how and when the loss occurred, what data was involved and what the organisation’s response has been. The notification should seek to avoid any acknowledgement of legal responsibility for the breach, or of any relevant breach of contract or law
  • whether or not you decide to notify individuals of a breach, in some jurisdictions there is an obligation to provide details about a breach to a data subject at their request


* Examples of other data subjects include commercial customers, group companies or other parties to whom your organisation owes contractual obligations, eg employees.

Contacts

Guardian Angel

guardianangel@freshfields.com

2024 © Freshfields Bruckhaus Deringer. ALL Rights Reserved. Privacy Policy | Terms of Service