EBF: Data breach notification under GDPR–WP250: EBF comments on the Article 29 Working Party guidelines

28 November 2017

European Banking Federation (EBF) key points in its comments on the Article 29 Working Party guidelines focuses on the clarifications on data breach notification, consumer fatigue and unnecessary risks, efficiency of reporting and coordination of processes and a need for further clarifications on “adequate security measures”.

Supporting the clarifications on data breach notification provided by the WP 29 notably regarding the issue of when a controller becomes “aware” of a breach: The EBF supports the approach of the Article 29 Data Protection Authority (hereafter ‘WP29’) guidelines and the clarifications on data breach notification under the General Data Protection Regulation (GDPR), notably regarding the issue of when a controller becomes “aware” of a breach. However, further clarity on what constitutes a “reasonable degree of certainty” would be welcome to further assist data controller protect data subjects’ rights. In addition, the use of the word “compromised” raises additional questions as this word is not present in the GDPR.

Avoiding confusion, consumer fatigue and unnecessary risks: Notification to data subjects at all times, especially for the banking sector, may compromise the security of banks and facilitate financial crimes by possibly alarming criminals of vulnerabilities in the bank’s systems. In the case of a personal data breach, Article (34)(3) of the GDPR specifies the conditions in which the communication to the data subject shall not be required. Nonetheless, there is still a risk of alarming customers unnecessarily. Investigating a suspected breach generally involves a significant amount of time and effort on the part of a data controller and it can take some time to determine exactly what has happened and who is affected, with the picture often changing as the investigation progresses.

Efficiency of reporting and coordination of processes: The nature of security breaches/ incidents are such that often root causes and impacts hit not just locally. The incidents frequently need to be managed across groups of undertakings and jurisdictions. Banks are already subject to strict requirements to notify security breaches/incidents to supervisory and competent authorities and other relevant bodies. In view of the above, a common taxonomy of the various data breach notification schemes containing common thresholds (g. when an incident is significant or non-significant, when to report a data breach) needs to be reached. It is important that these processes be coordinated, and duplication avoided as much as possible.

A need for further clarifications on “adequate security measures”: As there is no information in the Guidelines about what should be understood as “adequate security measures”, there is a high level of legal uncertainty about the application of this requirement. As high fines are associated with the absence of such adequate security measures, some general guidance or examples clarifying such measures would be welcome.

Full document


© EBF