On April 9, 2018, a European Commission Official speaking on the condition of anonymity warned that companies currently hiding data breaches from the public may be subject to substantial fines when the European Union’s (“EU”) new General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018. 

The warning comes just over a month before the GDPR’s effective date, meaning that any companies that are currently aware of, but have not publicly disclosed, a data breach may be pressured into disclosing such incidents in the coming weeks with the hope of avoiding stiff fines under the GDPR.  The Official gave the warning while briefing journalists in Brussels in advance of the EU’s Digital Day, an event involving EU stakeholders in the fields of digital technology and telecommunication. 

The GDPR, which is set to replace the 1995 Data Protection Directive, contains strict notification requirements in the event of a data breach.  Specifically, data controllers covered by the new law will be required to notify the relevant data protection regulator “without undue delay and, where feasible, not later than 72 hours after having become aware of [a data breach].”  This will require companies to act swiftly in investigating any potential data breaches and formulating and providing an initial notification to regulators on a tight timeline.  Further, if a data breach “is likely to result in a high risk to the rights and freedoms of natural persons,” a data controller is also required to notify impacted individuals “without undue delay.”  As we have previously reported, the guidance recently issued by the Article 29 Working Party, a statutorily-appointed independent EU advisory body, interprets that to mean that notice must be given “as soon as possible,” with the “main objective” of notification being to quickly provide “specific information about steps [impacted individuals] should take to protect themselves.” 

Perhaps of most interest to companies currently aware of undisclosed data breaches, the GDPR will allow for substantial penalties in the event of noncompliance.  Violations of obligations to notify regulators and impacted individuals will carry a penalty up to €10,000,000, or 2% of a company’s worldwide annual revenue from the prior financial year, whichever is greater.  More serious violations, such as violations of the GDPR’s basic principles for data processing, will be subject to a penalty of up to €20,000,000, or 4% or annual revenue, whichever is greater.

Given the gravity of potential fines under the GDPR, the recent warning about liability for undisclosed data breaches may require some companies to make difficult decisions as the GDPR’s effective date draws closer.