Breach reporting: pumpkin to talk about

Boo!  Want to hear something spooky?  How would you feel if I told you that as a non-EU based company subject to the GDPR you may soon have to report personal data breaches to the regulator in every European Union country in which the affected individuals are based?

Well, that is what’s being proposed in the latest breach notification guidance issued for public consultation by the European Data Protection Board.  Witchful thinking?  I'm afraid not.  Let’s turn to page 18 of the new guidance, which says:

• Non-EU based controllers remain bound by the notification obligations under Arts. 33 and 34 of GDPR.
• Controller and processors are required to appoint a representative in the EU where Art. 3(2) of the GDPR applies (and the EDPB’s current position is that breach notification is made to the data protection authority in the country in which the representative is based).
• Now, however, the EDPB says “the mere presence of a representative in a Member State does not trigger the one-stop-shop system”.  Going forward, “the breach will need to be notified to every single authority for which affected data subjects reside in their Member State.  This notification shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller” (emphasis is mine).

Every.  Single.  Authority.  Let that sink in for a moment.  For anyone who has lived through even one breach, the 72-hour period from awareness to reporting can — arguably should? — be incredibly stressful.  You’re collating information that’s constantly changing whilst working with multiple teams across and outside the business, drafting a notification to the relevant authority (following their guidance and using their form) and submitting a detailed notification within a few days.  

Now try running the notification process three, seven, fifteen or twenty two times within the same period.  If that seems close to impossible — well, in some cases it will be (at least to do well). 

I do wonder whether this is the EDPB’s way of saying that too many organisations are flouting the Art. 27 GDPR representative requirement.  But even if that’s true this feels like the wrong way to go about addressing it.  It may also be a case of careful what you wish for when already overstretched and underfunded national regulators are bombarded with hundreds or thousands more breach notifications each year.

Public consultation to the proposed guidance closes on 29 November 2022; feedback can be given here.  

The strength of the responses will be an interesting litmus test for how widely these documents are actually read, and one would think that the sentiment will be one way traffic.  Otherwise it may be breach reporting: so long and fangs for the memories.