Data breach notification under GDPR–WP250: EBF comments on the Article 29 Working Party guidelines
EBF advisor: Hélène Benoist
Publication date: 28 November 2017
Supporting the clarifications on data breach notification provided by the WP 29 notably regarding the issue of when a controller becomes “aware” of a breach: The European Banking Federation (EBF) supports the approach of the Article 29 Data Protection Authority (hereafter ‘WP29’) guidelines and the clarifications on data breach notification under the General Data Protection Regulation (GDPR), notably regarding the issue of when a controller becomes “aware” of a breach. However, further clarity on what constitutes a “reasonable degree of certainty” would be welcome to further assist data controller protect data subjects’ rights. In addition, the use of the word “compromised” raises additional questions as this word is not present in the GDPR.
Avoiding confusion, consumer fatigue and unnecessary risks: Notification to data subjects at all times, especially for the banking sector, may compromise the security of banks and facilitate financial crimes by possibly alarming criminals of vulnerabilities in the bank’s systems. In the case of a personal data breach, Article (34)(3) of the GDPR specifies the conditions in which the communication to the data subject shall not be required. Nonetheless, there is still a risk of alarming customers unnecessarily. Investigating a suspected breach generally involves a significant amount of time and effort on the part of a data controller and it can take some time to determine exactly what has happened and who is affected, with the picture often changing as the investigation progresses.
Efficiency of reporting and coordination of processes: The nature of security breaches/ incidents are such that often root causes and impacts hit not just locally. The incidents frequently need to be managed across groups of undertakings and jurisdictions. Banks are already subject to strict requirements to notify security breaches/incidents to supervisory and competent authorities and other relevant bodies. In view of the above, a common taxonomy of the various data breach notification schemes containing common thresholds (g. when an incident is significant or non-significant, when to report a data breach) needs to be reached. It is important that these processes be coordinated, and duplication avoided as much as possible.
A need for further clarifications on “adequate security measures”: As there is no information in the Guidelines about what should be understood as “adequate security measures”, there is a high level of legal uncertainty about the application of this requirement. As high fines are associated with the absence of such adequate security measures, some general guidance or examples clarifying such measures would be welcome.
The European Money Week is organized by the European Banking Federation to highlight financial education. This year, the main topic at the Brussels kick-off will be the gender gap in financial literacy, as well as the role of financial literacy in sustainable finance. The EBF kick-off event brings together academic speakers, financial education specialists, policy-makers and financial sector representatives. REGISTER HERE
REGISTRATION NOW OPEN
FINTECH TOOL & DIGITAL SKILLS SEMINAR
In a half-day seminar we aim to discuss the financial education in light of the digital revolution. Let’s be amazed by the possibilities Fintech tools can give us and how digital literacy is crucial to remain future-proof. REGISTER HERE
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.