Data breach notification under GDPR–WP250: EBF comments on the Article 29 Working Party guidelines
EBF advisor: Noémie Papp & Hélène Benoist
Publication date: 28 November 2017
Supporting the clarifications on data breach notification provided by the WP 29 notably regarding the issue of when a controller becomes “aware” of a breach: The European Banking Federation (EBF) supports the approach of the Article 29 Data Protection Authority (hereafter ‘WP29’) guidelines and the clarifications on data breach notification under the General Data Protection Regulation (GDPR), notably regarding the issue of when a controller becomes “aware” of a breach. However, further clarity on what constitutes a “reasonable degree of certainty” would be welcome to further assist data controller protect data subjects’ rights. In addition, the use of the word “compromised” raises additional questions as this word is not present in the GDPR.
Avoiding confusion, consumer fatigue and unnecessary risks: Notification to data subjects at all times, especially for the banking sector, may compromise the security of banks and facilitate financial crimes by possibly alarming criminals of vulnerabilities in the bank’s systems. In the case of a personal data breach, Article (34)(3) of the GDPR specifies the conditions in which the communication to the data subject shall not be required. Nonetheless, there is still a risk of alarming customers unnecessarily. Investigating a suspected breach generally involves a significant amount of time and effort on the part of a data controller and it can take some time to determine exactly what has happened and who is affected, with the picture often changing as the investigation progresses.
Efficiency of reporting and coordination of processes: The nature of security breaches/ incidents are such that often root causes and impacts hit not just locally. The incidents frequently need to be managed across groups of undertakings and jurisdictions. Banks are already subject to strict requirements to notify security breaches/incidents to supervisory and competent authorities and other relevant bodies. In view of the above, a common taxonomy of the various data breach notification schemes containing common thresholds (g. when an incident is significant or non-significant, when to report a data breach) needs to be reached. It is important that these processes be coordinated, and duplication avoided as much as possible.
A need for further clarifications on “adequate security measures”: As there is no information in the Guidelines about what should be understood as “adequate security measures”, there is a high level of legal uncertainty about the application of this requirement. As high fines are associated with the absence of such adequate security measures, some general guidance or examples clarifying such measures would be welcome.
“International Directors Banking Programme” is a new modular programme of three three-day modules at the INSEAD business school in Fontainebleau, France. The content is driven by the needs for bank directors and senior executives working in banks to review and update their corporate governance practices due to the many pressures they face, and will focus on the effectiveness of directors and boards. Successful completion by participants offers certification by INSEAD. Read more
Stay in touch with the EBF
The EBF produces a daily and a weekly newsletter with European banking news and updates from national banking associations across Europe. CLICK HERE TO SUBSCRIBE
European Banking Federation
The EBF is the voice of the European banking sector, bringing together national banking associations from 45 countries. The EBF is committed to a thriving European economy that is underpinned by a stable, secure and inclusive financial ecosystem, and to a flourishing society where financing is available to fund the dreams of citizens, businesses and innovators everywhere.
56 Avenue des Arts
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.