Does your business or organisation handle personal data – and know what to do in case of a data breach? Not every data breach is the same – some data breaches are remedied fairly quickly and with little to no risk to the affected individuals. Others, however, may be much more impactful and severe, and can lead to negative consequences for the affected data subjects.
However, no matter the severity, every data breach requires certain remedial actions to be taken in order to meet the requirements of the GDPR and limit the risk of harm to affected individuals. In this blog we explain what constitutes a “data breach” under the GDPR and what actions to take.
What is a “data breach” ?
According to the GDPR, a “data breach” is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Under this broad definition, any situation in which personal data is unintentionally or unlawfully disclosed or made accessible constitutes a “data breach” in the meaning of GDPR. Common examples include mistakenly sending an e-mail containing personal data or losing a laptop or telephone containing accessible personal data, to typically more severe breaches such as cyber incidents with widespread unauthorized access or loss of sensitive personal data.
The degree of severity depends on the impact and risk of harm to the affected individuals. Here the risks commonly include risk of identity theft, reputational damage, financial loss or discrimination. For example, the impact and risks of a data breach might be more limited if an e-mail with non-sensitive personal data is sent by mistake to the wrong colleague within an organisation. The same applies if a laptop containing personal data is lost, if the personal data is otherwise adequately encrypted and the laptop immediately wiped clean.
On the other hand, if the personal data contains sensitive data such as financial information which could lead to identity theft, then the impact and risks of the data breach may be greater and more severe. The severity of a data breach is crucial for determining exactly what to do in case of a data breach.
How to respond to a data breach?
If you become aware of a data breach – or even suspect that a data breach may have occurred, then it is crucial to determine the required actions. This may include notifying the relevant privacy regulator and the individuals whose personal data have been compromised.
According to the GDPR, the privacy regulator must be notified no later than 72 hours after becoming aware of a data breach. It is however not every data breach which must be notified to the authorities. If the data breach is unlikely to result in risks to the rights and freedoms of the individuals, then it is not required to notify the privacy regulator. In cases of doubt, it may nevertheless be recommended to notify the privacy regulator.
In some cases, the affected individuals must also be informed of the data breach. This is the case if the data breach is likely to result in a high risk to the rights and freedoms of the individuals. Here, there are some requirements as to what information must be provided, including information on the nature of the data breach and the measures taken in response hereto.
As the required and recommended actions depend on the nature of the data breach and the risks/severity, it is important that companies and organisations have adequate breach procedures in place, in order to effectively:
- understand what has happened
- assess the risk of harm
- determine and execute the required actions
Step 1 – Understand what has happened
The first step for any data breach is to start the clock. Certain data breaches must be reported to the authorities within 72 hours. It might however not be immediately clear whether or not the reporting obligation applies. Starting the clock is therefore always the first thing to do when learning of a data breach.
The next thing for the organisation is to try to gather as much information as possible regarding the data breach, including how the data breach happened, how many people are involved and what type of data is affected. This is necessary in order to determine what actions to take.
In some cases, immediate action can be taken. This may include asking unintended recipients to delete or return data, recovering or backing-up lost data, remotely wiping data on lost devices, and/or changing passwords etc. Any remedial actions which can be taken immediately, should be taken. In addition, it is recommended to record all the information, the timeline, and any of the actions that are being taken for documentary purposes.
Step 2: Assess the risk of harm
Not every data breach is the same and thus not every data breach requires the same actions. Therefore, in order to determine the seriousness and the necessary actions, the organisation needs to perform a risk assessment and determine the risk of (potential) harm to the individuals whose personal data is affected by the data breach. This is done by considering factors such as:
- What kind of personal data is affected by the breach?
- How many persons are affected by the breach?
- Who has access to the personal data?
- How could the breach (potentially) impact the affected persons?
- Are there remedial or mitigating actions available?
The crucial question for the risk assessment is whether the data breach can negatively affect or even harm the affected individuals. Here, the relevant questions also include if the individual is vulnerable, for example, a child, or if affected individuals are at risk of suffering a financial loss or reputational damage. The risk is higher the more sensitive the data is, or the higher possibility that the data is accessible to or in the hands of an adversary.
Step 3: Determine and execute required actions
If a data breach is determined as posing “no risk” or a “very low risk”, then it might be sufficient to take the mitigating or remedying actions, update internal procedures and implement new preventative measures to avoid similar or worse data breaches in the future. If the data breach is determined to pose a risk to the affected individuals, then the data breach must be reported to the relevant privacy regulator within 72 hours. This is a legal requirement which applies to any data breach that poses a risk to the affected individuals.
Secondly, for “high risk” data breaches, the individuals affected by the data breach must also be informed. This too is a legal requirement and must be done without undue delay. It is also particularly important to comply with this obligation in order to enable the affected individuals to take actions to protect themselves. There are specific requirements regarding the information which must be provided when notifying the affected individuals.
Depending on the specific circumstances of the data breach other actions may also be required. It is therefore important to fully determine what actions can and should be taken, and how to execute them.
When it comes to data breaches, the best actions are preventative actions. Companies and organisations should therefore invest the time and resources necessary to implement measures to protect against data breaches. Similarly, preventative measures should also include staff training and procedures in the unfortunate event that a data breach does occur. This not only equips the organisation to respond to a data breach in an timely and effective manner – but may also reduce the costs and resources required for managing a data breach, as well as mitigating the enforcement-related risks associated with a data breach.
Although the focus is on mitigating and remedying any potential harm or risk to the individuals affected by the data breach, implementing data breach procedures also mitigates the negative consequences of a data breach on the business or organisation itself. Aside from reputational damage, a data breach also exposes the business or organisation to the risk of severe fines imposed by privacy regulators. These fines may further be increased if the data breach could have reasonably been avoided.
On top of this comes the considerable costs and resources required for managing a data breach, costs of repairing compromised systems, commercial costs as well as potential compensation claims by affected individuals. Therefore, if your business or organisation handles personal data, then data breach prevention should be an essential part of your organisation’s GDPR compliance.
If you have any questions or would like more information, please reach out to us: