Companies face substantial challenges in complying with breach notification requirements under Article 33 of the General Data Protection Regulation (GDPR). Article 33 requires a data controller to report a personal data breach to European Union (EU) supervisory authorities within 72 hours of becoming aware of the breach if it is likely to result in a risk to the rights and freedoms of individuals. The notification must include, to the extent such information is available, (1) a description of the nature of the breach, including the categories and approximate number of data subjects and approximate number of personal records impacted, (2) the name and contact details of the data protection officer or other person from whom more information can be obtained, (3) a description of the likely consequences of the breach and (4) a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its adverse effects.
Upon becoming aware of a breach, in addition to remediating and investigating the breach, a company must immediately devote resources to drafting and submitting the breach notification within 72 hours. A company needs to quickly identify the appropriate supervisory authorities to notify and the breach notification requirements specific to each relevant supervisory authority. While all countries subject to the GDPR work within the breach notification framework of Article 33, notification in each country varies by language, reporting format and procedural requirements. Many supervisory authorities’ websites, including the breach notification forms and online portals themselves, are only available in a country’s native language. Even when the notification information is available in English, depending on which supervisory authority is being notified, the notification form may need to be translated into another language before submission. As a result, a good portion of the 72-hour notification period may be devoted to translating the website, notification form or online portal, as well as the company’s report itself. The notification submission process also varies; submission may be relatively simple, such as an email or submission through an online portal, or it may be a more time-intensive exercise – for example, requesting a link to upload the form, downloading software or requiring that the notification bear a stamp.
For companies not established in the European Economic Area (EEA) or those that have not identified a lead supervisory authority, notification will need to be made to every country in the EEA with affected individuals. While making a single notification within the 72-hour deadline is a time-pressured and resource-intensive task, the prospect of being required to notify up to 30 supervisory authorities (all EU Member States and three EEA countries – Liechtenstein, Iceland and Finland – which now follow GDPR) within 72 hours of discovering a data breach is downright daunting. At the same time, companies may also need to navigate logistical and legal issues that arise from simultaneously making notifications in other jurisdictions outside the EEA.
The BakerHostetler www.dataprivacymonitor.com blog has long provided resources, such as our Breach Notification Law Interactive Map, for U.S. state notification laws. Since the GDPR went into effect on May 25, 2018, we have been working with numerous clients to report breaches affecting data subjects in the EEA. Our new EU GDPR Data Breach Notification Resource Map compiles the resources we have developed to help companies in the midst of a personal data breach comply with the GDPR’s 72-hour data breach notification requirements and to help companies prepare for an incident affecting EU data subjects. Using the map, a company can proactively identify the EEA countries where they may be required to report, familiarize themselves with the reporting process and translate any required forms or portals. Clicking on a country in the map generates a pop-up that provides contact information for the supervisory authority in that country and a link to its website, information on and links to the country’s breach notification form or online breach notification portal, and information (where applicable) on how the notification is submitted to the supervisory authority in that country.