Compliance
Data breaches: now what?
Personal data breach
​
Any of the following situations are data breaches:
-
The personal data you process is, seen, received, accessed or accessible by/to unauthorized persons
-
Examples:
-
a file with personal data is sent to the wrong person.
-
an unauthorized person has had access to your systems and may have been able to access, copy, view, destroy, etc. personal data.
-
a database with personal data was open for the public to access it and you cannot determine with certainty whether it was accessed or not.
-
some employees had “read-only” access to personal data to which they were not allowed to have access and you cannot determine with certainty if they accessed it or not.
-
an account of an employee has been hacked and you cannot determine with certainty if the hacker accessed the personal data that the employee has access to.
-
-
-
The personal data is lost, destroyed or damaged.
-
“destruction”: the data no longer exists or no longer exists in a form that is of any use to the controller.
-
“damaged”: personal data has been altered, corrupted, or is no longer complete.
-
“lost”: the data may still exist, but the controller has lost control or access to it, or no longer has it in its possession.
-
Examples:
-
a laptop or storage media is lost (such as a USB-stick), even if the device is encrypted.
-
a file that contains personal data cannot be retrieved.
-
a file with personal data is encrypted by ransomware.
-
-
the password of an encrypted file with personal data is lost and there are no other, accessible copies of the file.
Notification to the data protection authority
​
-
The controller must notify data breaches to the data protection authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons (e.g. the data were encrypted).
-
If the breach is not notified within 72 hours, the controller must inform the data protection authority of the reasons for the delay.
-
A notification may be made in phases, i.e. the available information can be part of the initial information and additional information can be added to the file later.
-
The notification must include at least the following information:
-
the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
-
the name and contact details of the data protection officer or other point of contact from which further information can be obtained, the likely consequences of the breach.
-
the measures taken or proposed by the controller to address the data breach including, where appropriate, measures to mitigate any possible adverse effects.
-
-
The controller must adequately document all personal data breaches, including the related facts, effects and the remedial measures taken
Notification to the persons concerned
​
-
When a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the controller must inform the data subjects of the breach without undue delay.
-
The controller must describe, in clear and plain language, the nature of the personal data breach and indicate:
-
The name and contact details of the data protection officer or other point of contact from which further information can be obtained, the likely consequences of the personal data breach.
-
The measures taken or proposed by the controller to address the breach including, where appropriate, measures to mitigate any possible adverse effects.
-
-
If the controller does not inform the data subjects of the breach, the supervisory authority, after having assessed the risk posed by the breach, may require it to do so.
-
The controller does not need to inform the data subjects of the personal data breach if:
-
it has implemented appropriate technical and organisational protection measures which were applied to the personal data affected by the breach, in particular measures, such as encryption, that render the personal data unintelligible to any person who is not authorised to access them;
-
it has subsequently taken measures to ensure that a high risk to the rights and freedoms of the data subjects is no longer likely to materialise; or
-
doing so would involve disproportionate efforts, in which case it shall make a public communication or take similar measures to ensure that the data subjects are informed in an equally effective manner.
-
-
The processor's role. The processor must notify the controller without undue delay after learning of a personal data breach.
A data breach policy
​
Establish a data breach policy in which you describe how your employees should react when a data breach occurs, who they should inform etc. And make sure that you inform your employees about the content of this policy.
​
​
A record of data breaches
​
A record of data breaches must be established. In this record, you should not only note the data breaches that required notification, but also data breaches that remained below the notification threshold.
Time for action!
​
-
Assess the technical and operational security measures in place within your organisation and make the appropriate adjustments, if necessary.
-
Establish a data breach policy and a record of data breaches
-
Have your systems tested regularly by an external party?
-
Put in place an appropriate data breach notification procedure.
-
Train your employees and contractors in security awareness.
​
Sources