How to deal with a data breach under GDPR
The General Data Protection Regulation (GDPR) is a privacy law aimed at protecting the personal information of residents of the European Union. GDPR strives for that goal by imposing certain requirements on those processing and controlling personal data, including requiring a legal basis for such processing, ensuring that websites have compliant Privacy Policies, and requiring reporting of certain breaches of personal data.
In this article, we will discuss the following:
- What qualifies as a data breach;
- What breaches need to be reported to a supervisory authority;
- The timeline for reporting breaches;
- What breaches need to be reported to individuals; and
- Consequences for failure to report.
While a data breach is certainly a major event regardless of the amount of personal data breached, following GDPR and supervisory authority guidance will aid you in implementing security and privacy measures that can lessen the impact of data breaches.
What is a data breach?
Article 4 of GDPR defines a personal data breach as “a breach of security leading to accidental or unlawful destruction, alteration, loss, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” To establish whether a data breach has taken place, it should be immediately ascertained whether all appropriate technological protection and organisational measures have been implemented. The following are a few examples of incidents that would qualify as data breaches under GDPR:
- When personal data is lost;
- When someone accesses the data or shares it without proper authorisation; or
- When data has become unavailable due to a ransomware attack.
What breaches need to be reported to a supervisory authority
GDPR requires the reporting of any data breach to a supervisory authority unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In order to determine whether a breach results in a risk, one must evaluate the possible negative consequences of the breach to the individual. Negative consequences can include:
- Loss of control over personal data;
- Limitation of rights;
- Identity theft or fraud;
- Financial loss;
- Unauthorized reversal of pseudonymization;
- Damage to reputation; and
- Significant economic or social disadvantage.
When assessing risk to individuals, you should determine how the breach happened, the severity of the potential impact, the likelihood of the impact actually happening, and pay attention to the following criteria:
- The type of breach;
- The nature, sensitivity, and volume of personal data compromised;
- Ease of identification of individuals;
- Severity of consequences to individuals;
- Special characteristics of the individual;
- Special characteristics of the data controller; and
- The number of affected individuals.
If you determine that it is likely that there will be a risk to individuals, then you must contact the relevant supervisory authority that oversees your data processing activities.
Timeline for reporting breaches
GDPR has a very strict timeline for informing a supervisory authority of the data breach - you must do so as soon as you become aware that a personal data breach has occurred. In fact, you must make this notification no later than 72 hours after having become aware of the breach. If you need an extension, you should note your reasons for delay in the notification and you may provide information in phases.
What breaches need to be reported to individuals?
You must inform individuals of the data breach if the breach is likely to result in a high risk to the rights and freedoms of the individuals. When you perform your risk assessment, you will need to notify individuals when the risk posed is higher than the level of risk needed to notify the supervisory authority. You should notify individuals of the breach when required to as such notification will help the individuals take steps to protect themselves from the effects of the breach.
Consequences of failure to notify
If you fail to notify of a data breach when you were required to do so, you can be fined up to €2,000,000 or 2% of your global turnover, whichever is higher so compliance is key.
Data breaches can have negative consequences for the individuals whose personal data you hold, which is why GDPR has such stringent requirements for reporting data breaches to supervisory authorities and the individuals themselves. It is your responsibility to not only implement proper security and privacy safeguards to prevent data breaches in the first place, but also to document all of the steps that you take in response to a data breach if one does occur. In this case, having a predetermined Data Breach Policy and Procedure can be invaluable to responding properly, on time, and for meeting the compliance requirements imposed by GDPR.