Harvey Norman example highlights GDPR breach notification time pressures

Dublin-based Karen Gallagher of Pinsent Masons, the law firm behind Out-Law.com, was commenting after Harvey Norman notified customers of a data breach experienced by a third-party software provider it had used.

According to the Irish Times, Typeform notified Harvey Norman of the breach on Friday 29 June and the retailer then disclosed the breach to the Office of the Data Protection Commissioner in Ireland. The watchdog confirmed to Out-Law.com that it had received a data breach notification from Harvey Norman and is currently examining the information received.

On Wednesday 4 July, Harvey Norman also disclosed the breach to affected customers, the Irish Times reported.

In its letter, Harvey Norman said the names, email addresses, and telephone numbers of customers was among the data that "may have been compromised", but said the breach did not concern "sensitive personal data such as payment data, bank details or passwords", the report said.

Gallagher said: "The speed with which Harvey Norman has had to notify the breach to the Irish data protection commissioner and affected customers demonstrates the new requirements of GDPR in action. This includes the mandatory reporting of data breaches to the local data protection supervisory authority within 72 hours where there is a risk of damage to the rights and freedoms of a data subject, and the requirement to directly notify data subjects of the breach without undue delay where there is a high risk of damage arising to the data subject. The 72 hour timeframe means that companies need to be prepared to act quickly once they become aware of a breach."

"Although the company has said that no sensitive personal information, such as payment data, bank details or passwords, were involved, it has nevertheless determined that the breach constitutes a high risk of damage to the data subject, requiring direct notification to the persons affected. This illustrates that a breach need not necessarily involve sensitive personal data in order to trigger the requirement to notify the data subject," she said.

Gallagher said that there are limited exceptions to the requirement to notify breaches to individual data subjects under the GDPR. This includes if the data has been rendered unintelligible, the risk has already passed, or it would be disproportionate to notify customers individually, in which case a general public communication is required instead.

"Companies that have any doubt as to the severity of the risk posed by a data breach are likely to err on the side of caution by notifying customers in order to avoid any risk of non-compliance with the GDPR," Gallagher said. "This is particularly so given the high penalties they may face if their data protection and security practices are found wanting by the local supervisory authority in the course of its assessment of the breach and the company’s response to it."