Data Protection Update: Breach Reporting

In February of this year, DLA Piper released their annual data breach survey covering January 2019-January 2020 indicating a surge in data breach reports across the European Economic Area. The report found that companies in the EEA reported 160,921 data breaches to their supervisory authorities over the 12 month period, an average of over 240 reported breaches per day.
This upsurge in reporting has been accompanied by an increase both in supervisory authority staffing for enforcement departments as well as in the fines levied. From January 2019-January 2020, supervisory authorities issued fines for more than EUR 114 Million, the majority of which came from the French supervisory authority, the Commission Nationale Informatique & Libertes (CNIL).
Where a breach is likely to result in prejudice to the rights and freedoms of a data subject, reporting the breach is mandatory. Per the General Data Protection Regulation EU 2016/679 (GDPR), supervisory authorities are entitled to fine 2% of a company’s global revenue for failure to report a breach within 72 hours. No fine levied so far has reached this threshold, however this will likely not hold going forward. We expect that centralized guidance from the European Commission on fines and reportable breaches under GDPR will be issued and that multi-million euro fines will increase in frequency in 2020. Germany’s proposed methodology for fine calculation would likely see the amount of fines levied double in the next year.
With this in mind, FundRock Management Company would like to refresh our clients on some of their obligations under GDPR.
Breach reporting requirements
The managing body of an investment fund is automatically considered the data controller for GDPR purposes. The managing body of the fund is ultimately responsible for all personal data processed on its behalf, notably by its delegates and service providers; this includes data breaches and breach reporting. Within 72 hours of becoming aware of a personal data breach, the managing body must conduct an assessment as to whether or not the breach is reportable and, if it is, report the breach to the supervisory authority. Failure to do this can result in fines of 2% of the assets of the fund.
Entities in Luxembourg, Ireland, and the United Kingdom reported roughly 36,000 data privacy breaches between January 2019 and January 2020; the number of breach reports and the number of investigations conducted by supervisory authorities is expected to increase this year.