Welcome to the third post in our 'GDPR HR Issues' blog series. Drawing on key insights from across Bryan Cave Leighton Paisner's global Employment & Labor team, the series highlights key GDPR issues affecting employers.
This blog focuses on new obligations imposed by the GDPR to notify the relevant supervisory data protection authority ("DPA") and those individuals whose data have been violated, when an employer becomes aware of a violation affecting personal data that it processes (a "data breach").
If an employer discovers that the personal data it holds concerning its employees is, for example, accidentally accessed by a third party without authorization, what practical steps should it take to manage such a breach?
What is a "data breach"?
A personal data breach occurs when a breach of security affects the personal data's confidentiality (unauthorized disclosure or access to the data), integrity (data is involuntarily or unlawfully modified or destroyed) or availability (loss of data). Data breaches can be accidental or deliberate.
What immediate steps should an employer take when it discovers a data breach?
- Take immediate action to mitigate the breach (for example restore access authorizations where there has been a security failure and take such other IT security measures as necessary);
- Set up a crisis team. This should include the Data Protection Officer (the "DPO") if the company has one (or if not, a person responsible for data privacy in the organization) as well as people from HR, Legal, IT and any other relevant departments. This team will be responsible for notifying both the DPA and affected employees about the breach;
- Conduct an investigation to identify the origin, nature and extent of the breach, the type of personal data involved and the individuals affected by the breach. Your IT department will very likely be involved in this investigation, as well as your HR or Legal functions, especially where it is necessary to interview staff to identify the cause and extent of the breach and any possible employee involvement in the breach;
- Document each action undertaken. This is a requirement under the GDPR and will help you demonstrate the measures you have in place to mitigate the risks, if the DPA investigates.
When do you need to notify about a data breach, to whom, how and within what timeframe?
- Notifying the DPA
When: Whenever the employer becomes aware that a breach has occurred, it must notify the DPA, unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals concerned.
Timing: ASAP, and if feasible, within 72 hours after becoming aware of the data breach. Even if the employer does not yet have a full knowledge of the specifics of the breach, it must file the initial notification within this timeframe and follow up with additional information as its investigation continues.
How: Most DPAs offer the facility to file a data breach notification online via a specific form.
- Notifying the data subjects (current and possibly former staff)
When: The obligation arises if the personal data breach is likely to result in a high risk to the rights and freedoms of individuals. In the context of employee data this can include, for example, information about salaries, health, banking details, annuals reviews, disciplinary history etc.
Timing: The GDPR imposes an obligation to notify the data subjects "without undue delay". In practice, this will typically occur shortly after notifying the DPA, when the employer has been able to gather sufficient information regarding the breach and its scope and extent. If the breach involves personal data of former employees, you should bear in mind that you may also need to notify them.
How: The notification to affected individuals should ideally be done in a way that enables the employer to obtain acknowledgement of receipt. This will serve as evidence that the employer has complied with its GDPR obligation to notify each individual affected by the breach. A breach of employee data may be sensitive if it involves highly confidential and private information (for example salaries, medical information or annual reviews). Employers may also therefore need to take steps very early on to ensure that staff are reminded of their obligations not to transmit or use information they obtain as a result of the breach, to notify the employer if they become aware of data breaches, and to ensure that any such employee information is returned or safely destroyed, as appropriate.
What information should such notifications include?
- The nature of the personal data breach, and, for the notification of the DPA only, where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- Name and contact details of the DPO (if applicable) or other contact point within the employer where more information can be obtained;
- Likely consequences of the personal data breach;
- Measures taken or proposed to be taken by the employer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
What follow-up measures should be taken?
After notifying the DPA and the individuals concerned, the employer should ensure that it puts in place sufficient corrective security measures to manage the risk of such a breach occurring again. This can include training staff to ensure they understand their data protection obligations, and carrying out further investigations, if needed, not least to identify those individuals who were responsible for the breach and, if appropriate, disciplining them.
The DPA may get in contact with the employer in light of the employer's breach notification. The employer needs to ensure it cooperates with the DPA, particularly if the DPA decides to investigate further.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.