Data breach: communication to the data subject

During 2019, more than twenty million communications of data breaches were made directly from controllers to citizens, for which the latter have benefited from the obligation established in the GDPR to communicate breaches to the supervisory authority and, where appropriate, to the data subjects. This measure is having a positive impact on the protection of their rights and freedoms, reduces the impact of security breaches and is a transparency exercise that increases trust and resilience in the processing of personal data.

I. What is communication to the data subject?

Articles 33 and 34 of the GDPR regulate the obligations of controllers and processors when having a data breach. These obligations fall within the accountability principle and the risk management framework for rights and freedoms. For further information, please check the guide on personal data breach management and notification and the practical guides for risk analysis and privacy impact assessment published by the Spanish Data Protection Agency.

If article 33 establishes in which situations the supervisory authority must be notified in the event of a data breach, article 34 establishes the obligation on controller for informing and warning, when a high risk for rights and freedoms is found, to the natural persons whose data have been subject to a data breach so that they can take their own measures.

II. How does communication concerns data subjects?

The obligation to communicate to data subjects is a new tool that provides people whose data is subject to processing with an added value of transparency, enabling to know if their data have been disclosed to third parties, or have been temporarily or permanently unavailable. Widely used services such as Firefox monitor or HaveIbeenpwned  highlight people’s increasing concern for privacy, and their demand for transparency in processing.

The opacity, with which the security breaches have sometimes been addressed by some organisations, has been able to cause a very high risk to those affected by not being informed and not having been able to take the necessary measures to protect themselves. An example of this lack of transparency was the attack suffered and detected by Yahoo in 2014, which affected more than 500 million users, who were not aware of the exposure of their personal data until 2016. The purpose, among others, of the GDPR is that a situation like the one described does not occur again.

In addition, the obligation to communicate to the data subjects also has a very positive side effect for organisations, which is to support those internal policies that encourage the implementation of effective and diligent management and governance models. Therefore, the organisation has a direct benefit, not only by complying with legal obligations. The impact on the reputation of entities has become one of their main concerns, and this obligation allows maintaining the relationship of trust that the interested parties have placed on them. 

With more than 20 million communications to the data subjects proactively executed by data controllers established in Spain, according to the information of the data breach notifications to the Spanish Data Protection Agency, and approximately 12,000 communications to interested parties ordered by this Agency in the nearly 1,500 notifications of data breaches received in 2019, it is clear that this tool is an effective instrument for the protection of citizens' rights and freedoms.

This post is part of a monograph on data breaches:

Data breaches: protect yourself against the loss or theft of a portable device
Personal data breaches: what they are and how to repond
Personal data breaches: protect yourself against ransomware