At a time when personal data breaches are becoming increasingly common, and cyber incidents affect private and government entities on an almost daily basis, the Polish Data Protection Authority (UODO) has published updated guidelines on data breaches (the Guidance) to help organisations navigate the complexities of personal data breach notifications under the General Data Protection Regulation (GDPR). The Guidance is now available on UODO’s website.
The latest version of the Guidance provides instructions on how to understand and deal with data breaches effectively, recommendations for risk assessment and some tips for breach prevention. The Guidance has been well received by the industry for its thoroughness and the inclusion of informative examples and graphics to aid understanding. However, some of UODO’s positions have raised eyebrows in the industry for their rigidity and impracticality, which some argue even contradict the positions of the European Data Protection Board (EDPB).
Here are some of the positive takeaways and some of the more controversial statements made by UODO that may give rise to concerns in organisations.
What is a “data breach”?
UODO has adopted a broad definition of a data breach. According to the Polish authority, the mere possibility of a negative impact on individuals (data subjects) is sufficient to determine that a breach has occurred.
In addition, UODO believes that breaches should be assessed as either posing “no risk”, “risk”, or “high risk” to individuals. Thus, the authority effectively recognises only two levels of risk in the context of data breaches. This seems to contrast with the GDPR, ENISA and EDPB guidelines, which allow for the authority to be not notified if the breach falls into the “low risk” category – namely, under the GDPR the data controller must notify the breach unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Thus, the GDPR provides a fairly broad area in which the data controller can decide whether or not to notify a breach, even if the breach has occurred and poses some risk. Based on the updated Polish Guidance, there is no such area or it is extremely small. In practice, the position taken by UODO means that whenever there is a risk (even a low one), the breach should be notified to the authority.
The Guidance states that a breach does not need to be notified only if the data controller can determine that a risk to individuals is unlikely. Examples include the disclosure of publicly available data or the loss of securely encrypted data. They also indicate that UODO sets a very low threshold for the “no risk” criterion.
What does this mean for businesses?
The Guidance is likely to result in an increased number of data breach notifications to UODO. The notification and handling of breaches are particularly important in light of this year’s Annual Inspection Plan, which provides that UODO will audit the documentation on data breaches (fulfilling the obligation under Article 33(5) of the GDPR). This documentation includes records of data breaches, describing the circumstances of the personal data breach, its consequences, and the remedial measures taken.
With this in mind, the companies should adapt their internal procedures to the requirements set out in the Guidance and implement a risk-assessment tool or process based on the risk categorisation set out in the Guidance. Failure to comply can result in heavy fines, such as the recent fine of PLN 1.44 million (EUR 248,000) imposed on a local bank for a failure to notify and a fine of PLN 4 million (EUR 958,000) for a failure to notify the affected data subjects.
However, to somehow soften this restrictive approach, the DPA has also pointed out that a data breach alone does not constitute a violation of the GDPR and does not lead to the “automatic” imposition of administrative sanctions on the data controllers. If a data breach has occurred despite the proper implementation of GDPR obligations (e.g. data security), data controllers need not fear administrative sanctions being imposed on them for the data breach alone.
How to understand the 72-hour deadline for notification
The GDPR requires that, in the event of a data breach, the data controller must notify the breach without undue delay and, where practicable, no later than 72 hours after becoming aware of the breach. This deadline may raise the question of when a controller can be deemed to have “become aware” of a breach, particularly where the breach is on the part of the data processor (for example, an external payroll provider). In such a case, the Guidance confirms that the 72-hour notification period should be counted from the moment the processor notifies the controller of the breach.
In the case of cyberattacks, UODO recognises that it may take time to determine whether personal data has been compromised, and once this is confirmed, the data controller can formally acknowledge the breach and comply with other related obligations. That would include making an initial, preliminary notification (without the need to provide many details of the breach), followed by a proper notification, providing the full picture of the breach.
In addition, in exceptional circumstances, such as system failures that prevent electronic submissions, notifications may be sent temporarily to UODO’s email and be then confirmed by the standard methods once the problem has been resolved.
New role for the DPOs in dealing with data breaches
The Guidelines emphasise the importance of independence and the lack of a conflict of interest for the role of the DPO within organisations. Therefore, the DPO should be an advisor rather than an executor of decisions regarding data incidents. While the DPO should be informed promptly of any breach and should be involved at the earliest stage, UODO insists that the DPO should not – in the course of handling a data breach – perform tasks that are the sole responsibility of the data controller or processor. This includes notifying personal data breaches to UODO, notifying individuals of breaches, or documenting breaches on behalf of data controllers (processors).
This position is particularly significant in light of UODO’s recent activities. Following UODO’s views on the position of DPOs within organisations, UODO has imposed fines for related violations. Yet another local bank was fined PLN 262,000 (EUR 62,000) for failing to ensure the independence of its DPO, who reported to the head of the IT security department rather than to the top management (board of directors). The bank’s explanations that this structure was purely administrative did not hold water.
Recently, UODO also reprimanded a university for failing to ensure in its procedures that the DPO would not receive instructions relating to his or her duties and for failing to implement measures to prevent conflicts of interest in the DPO’s duties.
Trusted data recipient - according to UODO
Over the years, there have been several cases where UODO has challenged the arguments of data controllers as to who is a trusted data recipient. Now, according to the updated Guidelines, a “trusted recipient” is an entity that has inadvertently received personal data, but can be considered trustworthy due to previous positive cooperation with the data controller. There is a reasonable assurance that the entity will respond appropriately to the incident and help mitigate the risk of a breach of the rights or freedoms of the individuals concerned. Thus, under the new Guidelines, such a “trusted recipient” must not be someone unknown to the controller (e.g. a random recipient of an email or postal package), even if she or he is willing to sign a non-disclosure statement.
Identifying an unauthorised recipient as “trusted” is always done when assessing the risk of a breach of confidentiality. Therefore, the status of a “trusted recipient” should be monitored and in some cases may require a change in the risk assessment.
Practical implications of the Guidance
The Guidance is an important resource that helps organisations understand and comply with their obligations related to personal data breaches. By following these guidelines, organisations can mitigate risk, protect individuals’ rights, and maintain trust in their data-handling practices.
At the same time, the Guidance presents significant challenges for data controllers. Ideally, the Guidance should encourage controllers to focus their efforts on minimising data breaches through reliable technical and organisational measures. This is because – based on the Guidance – virtually all data breaches must be notified to UODO, which in the long run increases the risk of potential fines for non-compliance.
As this challenge may be difficult to overcome, data controllers should at the very least adopt a new restrictive assessment in the context of possible notifications and adapt the procedures to avoid possible negative consequences resulting from UODO’s position.
On a positive note, UODO has begun to organise webinars on data breaches, which may provide additional interpretations of the Guidance and lead to a softening of its position.
