Data breach: what to document

Breach Documentation

Article 33(5) GDPR:

“The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.”

Any personal data breach

This provision is linked to the accountability principle in Article 5(2) of the GDPR. The requirement to document under Article 33(5) applies to any personal data breach, irrespective of whether it is notifiable or non-notifiable to the supervising authorities or data subjects. This requirement to record non-notifiable as well as notifiable breaches relates to the controller’s obligation to be able to demonstrate that processing is performed in accordance with the GDPR.

The precise format in which a controller is required to document a personal data breach is not prescribed by the GDPR. The requirement is simply that a controller shall document certain information relating to the personal data breach. In terms of the information that must be documented, this comprises details in respect of three broad categories of information:

  • the facts of the breach;

  • the effects of the breach; and

  • the remedial action(s) taken.

 The purpose of the documentation is to enable the supervisory authority to verify the controller’s compliance with the requirements of Article 33 of the GDPR. Even where you determine there is no risk to affected individuals following a personal data breach, you need to keep an internal record of the details, the means for deciding there was no risk, who decided there was no risk and the risk rating that was recorded.

Documentation requirements

We will provide an outline of what information should be documented by a controller, under Article 33(5), in order to enable a supervisory authority to verify the controller’s compliance with Article 33. This is set out by reference to each of the subsections of Article 33. At the end you will find a table summarising the various documentation obligations.

Article 33(5) documentation pertaining to verification of compliance with Article 33(1)

Article 33(1):

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

Is it a personal data breach?

This subsection relates to the notification of a personal data breach, a controller or processor, upon becoming aware of an incident or event must assess whether it comprises a breach of personal data. The consequence of such a breach is that the controller will be unable to ensure compliance with the principles relating to the processing of personal data as outlined in Article 5 of the GDPR. Be aware that not all security incidents are necessarily personal data breaches! Any assessment of an incident, must therefore include details of whether it involves personal data and the categories of personal data involved. The assessment of the incident must also include details of whether it led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Notification to the supervising authority

Subsection 33(1) also requires that a controller must notify a personal data breach to the supervisory authority, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. In this regard, a controller is required to undertake an assessment of the level of risk posed by the breach to affected data subjects. The purpose of this is to ascertain firstly, whether the breach presents a risk to affected data subjects, such that notification to the supervisory authority is required. Such assessment must also then consider whether the breach presents a high risk to affected data subjects, such that notification to data subjects is required under Article 34.

In terms of the factors to be considered when assessing the risk, these are referenced at Recitals 75 and 76 of the GDPR. A risk assessment in the context of a personal data breach can be distinguished from an assessment of the risk arising more generally from data processing (and as recorded in a DPIA). When assessing risk to individuals as a result of a breach, the controller should consider the specific circumstances of the breach, including the severity of the potential impact and the likelihood of this occurring. Other criteria that such a risk assessment should take into account are:

  •  the type of breach;

  • the nature, sensitivity and volume of personal data;

  • the ease of identification of individuals; and

  • the severity of consequences for individuals.

A further requirement is that where a controller notifies a breach to the supervisory authority outside of the 72-hour timeframe, the notification must be accompanied by reasons for the delay. This provision recognises that it may not always be possible for a controller to notify a breach within the 72-hour timeframe and that there may be circumstances where a delayed notification may be permissible. The requirement that a controller provide reasons for the delay is to ensure that any delay in notifying the breach to the supervisory authority is justifiable. In this regard, documentation retained by the controller may assist the controller in demonstrating to a supervisory authority that a delay in notifying a personal data breach was justified.

What to do document

A controller will need to record the following information:

  •  Information relating to the controller’s assessment of whether the incident or event comprised a personal data breach within the meaning of Article 4(12) of the GDPR.

  • Information relating to the personal data breached, including the categories of personal data and the purposes for which it was processed;

  • Details of the event or incident that occurred and consideration as to whether it led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

  • Information relating to or outlining the controller’s assessment of risk posed by the personal data breach, to incorporate its assessment of the level of risk posed and the factors considered in this regard; and

  • In the case of a delayed notification, information in relation to the reasons for the delay, including details of the factors that caused the delay, for the purpose of demonstrating that the delay in notifying was justified.

Article 33(5) documentation pertaining to verification of compliance with Article 33(2)

 Article 33(2):

 “The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”

What to document

A processor shall notify the controller without undue delay after becoming aware of a personal data breach. In this regard, the processor is required to assist the controller in meeting its obligation to notify the breach. However, the controller must ensure that it has sufficient measures in place to facilitate compliance. In order to enable a supervisory authority to verify that there has been compliance with this provision, the documentation should include details of the processor’s notification of the breach to the controller:

  • the information should include details of when and how the processor became aware;

  • when the processor notified the controller; and

  • if relevant, the reasons for any delay.

Article 33(5) documentation pertaining to verification of compliance with Article 33(3)

 Article 33(3):

The notification referred to in paragraph 1 shall at least:

o    describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

o    communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

o    describe the likely consequences of the personal data breach;

o    describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

What to document

Article 33(3) provides that when a controller notifies a breach to a supervisory authority, the notification must at least contain certain information. The notification must:

  • describe the nature of the personal data breach including:

    • the categories and approximate number of data subjects concerned

    • the categories and approximate number of personal data records concerned;

  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

  • describe the likely consequences of the personal data breach; and

  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Article 33(5) documentation pertaining to verification of compliance with Article 33(4)

Article 33(4):

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

Phased documentation

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. This allows a controller to provide information on a phased basis in circumstances where it is not possible to provide all of the information in the initial notification. Such phased approach to notification is permissible, providing the controller gives reasons for the delay, in accordance with Article 33(1).  WP29 recommends that when the controller first notifies the supervisory authority, the controller should also inform the supervisory authority if the controller does not yet have all the required information and will provide more details later on.

 A phased approach may be justified due to:

  • the investigation(s) being carried out

  • the timing of such investigation(s);

  • the timing of further information being received by the controller or processor; and

  • the level of complexity of the breach.

Where a notification is carried out in phases, the requirement, or reasons, for adopting this phased approach should be reflected in the documentation maintained by the controller. The documentation should reflect the timing of the investigations carried out by the controller and the timing at which further information is received by the controller and then provided to the supervisory authority.

Seventytwo Data Breach Report

All documentation obligations are included in seventytwo’s data breach report, including a sophisticated risk rating. Please note that even if a personal data breach is non-notifiable, you still have to satisfy documentation requirements! A supervising authority may request such documentation at a later stage or during a subsequent investigation.

We often see that the (primary) record in which an organisation has documented the facts, effects, and remedial actions taken in respect of a (suspected) personal data breach do not contain all necessary information and do not satisfy the requirements of Article 33(5) of the GDPR.  Please get in touch to discuss how we can assist you.

data breachSebastiaan Jeroen Lubseventytwodata breach, cybersecurity, privacy, gdpr, documentation, 33 gdpr, data breach tool