Many may be familiar with guidelines on personal data breach notification from Article 29 Working Party (WP29) prepared in October 2017 under Regulation 2016/679. In addition, the General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority.
The basic concept of personal data breaches was not introduced first by the GDPR, and there are also some EU Member States that already have their own national breach notification obligation. This may include the obligation to provide notification of breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands).
GDPR contains several provisions relating to personal data breaches that data controllers (and processors) must also be aware of. Additional information can be found in ISACA’s Implementing the General Data Protection Regulation publication; however, I’ve outlined some key highlights on breaches below.
So first, what is a personal data breach?
The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
What type of personal data breaches exist?
- Confidentiality breach
- Availability breach
- Integrity breach
It is also apparent from above that the concept of personal data breaches is closely linked to the principle of the integrity and confidentiality of personal data (Article 5 (1) (f) of the GDPR). Therefore, a wide variety of personal data breaches may occur, such as losing a laptop or USB drive that contains personal data, attacking an IT system, or even sending a letter or an email to wrong recipient.
Four years earlier, WP29, in its Opinion issued in 2014 (Opinion No. 03/2014), presented a number of practical examples of what is considered to be a personal data breach and the consequences it may have.
Why is it so important that the personal data breach is handled as soon as possible?
The Preamble to the GDPR (Point 85) states that “a personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons,” such as:
- Loss of control over their personal data or limitation of their rights
- Identity theft or fraud
- Financial loss
What should you do if a personal data breach occurs?
The data controller has several tasks when a personal data breach is noticed:
- The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority.
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
- The controller shall document any personal data breaches.
- The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
When does the personal data breach not need to be reported to the authority and when do the persons concerned not have to be notified directly?
If the data controller can demonstrate, in accordance with the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the notification may be omitted. (For example, if mail sent by a controller to a wrong address is returned without being opened, meaning that no personal data has been accessed by an unauthorized person.
How can controllers prepare for handling personal data breaches?
Given that personal data breaches can occur at any data controller, and in such cases data controllers need to react quickly, it is important for controllers to be prepared in this respect as well.
First, every actor must prepare a data breach response plan, for which there may be internal rules as well. A data breach response plan enables an entity to respond quickly to a data breach. By responding quickly, an entity can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.
Below is a data breach response plan quick checklist to help with this preparation:
|Information to be included||Yes/No||Comments|
|What a data breach is and how staff can identify one|
|Clear escalation procedures and reporting lines for suspected data breaches|
|Members of the data breach response team, including roles, reporting lines and responsibilities|
|Details of any external expertise that should be engaged in particular circumstances|
|How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions|
|An approach for conducting assessments|
|Processes that outline when and how individuals are notified|
|Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted|
|Processes for responding to incidents that involve another entity|
|A record-keeping policy to ensure that breaches are documented|
|Requirements under agreements with third parties such as insurance policies or service agreements|
|A strategy identifying and addressing any weaknesses in data handling that contributed to the breach|
|Regular reviewing and testing of the plan|
|A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan|
Recommendations on next steps:
An effective data breach response generally follows a four-step process — contain, assess, notify and review:
- Contain the data breach to prevent any further compromise of personal information.
- Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, take action to remediate any risk of harm.
- Notify individuals and the Commissioner if required. If the breach is an “eligible data breach” under the NDB scheme, it may be mandatory for the entity to notify.
- Review the incident and consider what actions can be taken to prevent future breaches.
How does the Hungarian DPA prepare to perform its duties in relation to personal data breaches?
Based on available information from the Hungarian DPA, there is a separate department within the Hungarian DPA’s organization that addresses receiving and managing the personal data breach notifications. It is also expected that data breach notification must be made on the authority’s website, or there will be an online interface which the notifications can be sent to the authority.
Editor’s note: ISACA’s Implementing the General Data Protection Regulation publication is an educational resource for privacy and other interested professionals; it is not legal or professional advice. Consult a qualified attorney on any specific legal question, problem or other matter. ISACA assumes no responsibility for the information contained in this publication and disclaims all liability with respect to the publication. 2018 © ISACA. All rights reserved. For additional ISACA resources on GDPR, visit www.isaca.org/GDPR.
Laszlo Dellei, MBA,CISA, CGEIT, CRISC, C|CISO
[ISACA Now Blog]