Be prepared.
What is a data breach?
To give you a technical definition, a data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized access to, or disclosure of personal data. This could be caused by anything from emails sent by mistake, a stolen laptop, to hacking, phishing or even a fire in a data centre.
Do I need to notify the authorities of a data breach?
Under the GDPR, data controllers must report data breaches to the DPA within 72 hours after becoming aware of it. You risk a substantial fine if you don’t. The only exception is if a breach is unlikely to result in a risk to the rights and freedoms of individuals.
How do I notify the DPA?
Through a form on the DPA’s website. After receiving a data breach notification, the DPA conducts an initial review to assess the severity and potential impact of the breach. This involves examining the nature of the breach, the type of data involved, and the potential risks to the individuals affected. For any breaches identified as high-risk, the DPA may undertake additional supervisory actions and launch a formal investigation, though this does not happen frequently.
Do I need to inform the individuals affected?
The threshold for communicating a breach to individuals is higher than for notifying supervisory authorities. If it’s likely there is a high risk to the rights and freedoms of the individuals affected, then they must be informed promptly. If the breached data is unintelligible to third parties – for example, because it has been sufficiently encrypted – then it is often not necessary to inform them. However, if their privacy is threatened, you must inform the individuals affected by explaining what has happened, what the (likely) consequences are and what measures you have taken to address the breach.
What should I do in case of a data breach?
Act immediately to mitigate further risks. These are some steps you should consider taking:
- Work closely with your IT department to evaluate the scope of the breach and implement measures to mitigate risks – e.g. force a password reset – as soon as possible.
- Identify all parties involved in the processing of the impacted personal data – e.g. your hosting provider.
- Assess what information and assistance you need to be able to implement any necessary mitigating steps.
- Investigate the breached personal data to assess the risks for individuals and determine whether you must notify the DPA or inform the individuals affected.
- When the dust has settled, conduct a review of your Incident Response Plan to identify possible improvements.
- Enhance your defence against future breaches by implementing strong technical and organisational measures, such as encryption, anonymisation and comprehensive compliance training for employees.
- Maintain detailed records of data breaches in your internal register.
Need assistance with a data breach, or mitigating future risks? Project Moore is here to help!