If the data breach affects individuals in more than one country across Europe, you need to notify the lead DPA.
Is the data breach likely to result in a high risk to individuals’ rights and freedoms?
Data breaches can have a detrimental impact on your organisation. From financial loss, to fines, to a decline in customer trust, the impact of data breaches can be massive. That is why it is essential to implement cybersecurity good practices and procedures to prevent security incidents. Despite this, you may still suffer a data breach which you may have to notify to your respective data protection authority (DPA) or communicate to the affected individuals.
A personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
Organisations should be aware that a personal data breach can cover a lot more than just ‘losing’ personal data. It includes incidents affecting the confidentiality, integrity or availability of personal data. Importantly, personal data breaches include security incidents that are the result of both accidents (such as sending an email to the wrong recipient, losing a USB key containing customer data, or accidentally deleting medical data for which no backup is available), as well as deliberate acts (such as phishing attacks to gain access to customer data).
In other words, this includes situations such as where someone accesses personal data or passes it on without proper authorisation, or where personal data is rendered unavailable through encryption by ransomware, or accidental loss or destruction. Whilst all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches (since there may not be any personal data involved in a given security incident).
If your SME acts as a data controller, there are three primary principles regarding data breaches
It is of utmost importance that data controllers understand and comply with these obligations, and implement in advance the appropriate procedures that will allow them to objectively determine in due time whether any of the notifications mentioned above are required.
In any event, for all breaches – even those that are not notified to a DPA, on the basis that they have been assessed as being unlikely to result in a risk – the data controller must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response, as required by Art. 33(5) GDPR.
According to Art. 33.1 GDPR, all data breaches should be notified to the relevant DPA, except for those unlikely to present any risk to individuals. To facilitate this notification, DPAs have implemented procedures or online forms that will guide you step by step to ensure you provide all the required information.
If the breach takes place in the context of cross-border processing and notification is required, the data controller, if established in the EEA, will need to notify the lead DPA. Thus, when drafting their breach response plan, a data controller should already make an assessment as to which DPA is the lead DPA they will need to notify. If the data controller has any doubt as to the identity of the lead DPA then they should, at a minimum, notify the local DPA where the breach has taken place.
Where notification is required, this must be done as soon as possible and within 72 hours after having been made aware of the breach. In case this is not possible, a justification for the delay will be required. An organisation should be regarded as having become ‘aware’ when there is a reasonable degree of certainty that a security incident has occurred and compromised personal data.
In order to be able to demonstrate to the relevant DPA when and how they became aware of a personal data breach, it is recommended that all organisations, as part of their internal procedures on personal data breaches, have a system in place for recording how and when they become aware of personal data breaches and how they assessed the potential risk posed by the breach.
Where it is not possible to provide all of the relevant information to the DPA within the 72-hour period, the notification should be made in several steps. The initial notification should be lodged and further information may be provided in phases.
Similarly, per Art. 33(2) GDPR, if your SME is a data processor, processing personal data on behalf of another organisation, you must notify the data controller of any personal data breach without undue delay. This is of key importance in enabling the data controller to comply with their notification obligations in due time. The requirements on breach reporting should also be detailed in the contract between the data controller and processor, as required under Art. 28 GDPR.
A notification of a personal data breach to the relevant DPA must at least:
