In today’s world, data breaches are a reality. No, we don’t want them to happen, but the reality is that these do happen. And, when a data breach involves personal data of EU residents, it comes under the jurisdiction of EU GDPR. This means that there may be a need to notify the Data Protection Authority about the personal data breach within 72 hours of finding the breach. In addition, there can be huge fines and reputational damages associated with personal data breaches. Let us understand how to handle a personal data breach in the context of EU GDPR.
Who does what, when personal data is breached?
- Staff, usually the security incident management team, should inform the Data Protection Officer (DPO).
- The DPO of the controller should notify the Data Protection Authority when the risk to the rights and freedoms of data subjects is high.
- The DPO of the controller may notify data subjects, if the risk to the rights and freedoms of data subjects is high. This should be done with the public relations team within the organisation.
- The Data Protection Officer of the processor must notify the controller, as stated in the contract. In this case, all personal data breaches need to be reported to the controller, without exception.
How should a personal data breach be handled?
In my view, your personal data breach should be handled according to the following steps:
1) Inform your Data Protection Officer: As soon as a personal data breach is identified, the first and foremost task is to inform and involve the DPO in your organisation.
2) Assess scope and impact: Identify the extent of the impact, and the scope of the personal data breach; i.e.:
- Ascertain that personal data was breached.
- Estimate the number of data subjects whose personal data was possibly breached.
- Determine the possible types of personal data that were breached.
- List security measures that were already in place to prevent the breach from happening.
As personal data breaches are to be reported within 72 hours by the controller, this step should be a high priority, and should focus on providing sufficient information to the DPO for this notification to the Data Protection Authority.
See also: The obligations of controllers towards Data Protection Authorities according to GDPR.
3) Notify the relevant parties: The DPO of your organisation should inform the Data Protection Authority if your organisation is the controller of personal data. If the risk to the rights and freedoms of data subjects is high, the data subjects should also be informed by the DPO of the controller. However, if your organisation is the processor of personal data, the DPO should notify the responsible person stated in your contract with the controller.
The communication should include contact details of the DPO, details of the breach, likely impact, actions already in place, and those being initiated to minimise the impact of the data breach. Also, it is important to mention that further impact is being investigated (if required), and necessary actions to mitigate the impact are being taken.
4) Deep dive, contain and notify: While the DPO is notifying the relevant authorities, it is critical that the incident team continues the deep dive on the following two tracks in parallel:
- Taking all possible measures to reduce the risk and contain further unauthorised access
- Continuing to refine the original estimate of the number of data subjects breached and the types of personal data that were breached
As details are being discovered, the DPA or controller may be updated on the current situation.
If the freedoms and rights of data subjects are significantly impacted, the DPO of the controller would need to decide if the data subjects also need to be informed. If so, the public relations or communications team of the company should be involved in this communication.
5) Review and monitor: Once the personal data breach has been contained, the organisation should conduct a review of existing measures in place, and explore the possible ways in which these measures can be strengthened to prevent a similar breach from reoccurring. All such identified measures should be monitored to ensure that the measures are satisfactorily implemented.
And, while you take the above steps, always keep a log of your actions and keep a data breach register.
As personal data breaches can have significant reputational and financial consequences, personal data breaches need to be managed carefully. Do not wait for a personal data breach, but set up a personal data breach process and create templates for notifications now.
To help you decrease the risks of data breaches, try this online Security Awareness Training.