A data breach can happen to any business, no matter how big or small. However, if you don’t have a data breach management plan in place, you’re putting your company at risk. But there is no room for improvisation: you need clear and effective procedures that must comply with the GDPR.
Table of Contents
What is a data breach?
The GDPR gives a definition of data breach in art. 4. Basically, it is a security breach that leads to the destruction, loss, modification, unauthorized disclosure or unauthorized access of personal data transmitted, stored or processed. This violation can be accidental or have an illegal purpose. In any case, it can compromise the confidentiality, integrity or availability of data.
The violation can have various causes:
- access by unauthorized third parties,
- theft or loss of devices containing personal data,
- human error, such as losing data or sharing it with the wrong people;
- deliberate alteration of personal data;
- malfunctions, physical damage, calamities;
- cyber attacks (phishing, ransomware, Distributed Denial Of Service attacks).
The consequences can be serious:
- data loss: for example, ransomware attacks can block access to data. Until a ransom is paid, the data is virtually lost. In any case, you lose control of your data and it can be used to harm your business or customers;
- data theft and identity theft: cybercriminals may steal industrial data to limit your competitive advantage or to sell it on the Dark Web. Furthermore, they may use the personal data of employees, partners, and customers for fraudulent activity;
- reputational damage: in the event of a security breach, partners and customers may believe that your company is not paying enough attention to cyber security, making you appear less reliable.
- financial loss: losing your data could block your production processes and, therefore, your sales. Furthermore, you may have to pay fines or compensate customers if their data is lost or stolen;
- legal consequences: you may be subject to civil or criminal penalties if you fail to comply with data protection laws.
The process of managing a data breach according to the GDPR
The General Data Protection Regulation (GDPR) is a regulation of the European Union that came into force on May 25, 2018. It strengthens and complements the EU data protection framework by giving individuals more control over their personal data, establishing new rights for individuals, and creating new obligations for companies that process data.
The process of managing a data breach in accordance with the GDPR should follow 3 phases:
1) Identification of the security breach
You need to understand what happened and verify that an actual breach of personal data occurred. You should identify which data and systems are involved and which security measures have not worked.
At this stage you must determine the type of violation:
– confidentiality: disclosure of personal data, unauthorized or accidental access;
– integrity: unauthorized or accidental modification of data;
– availability: accidental or unauthorized loss, access or destruction.
Combination of 2 or all 3 categories are possible.
It consists in reporting what happened in the appropriate data breach register (type of violation, seriousness, and necessary corrective actions).
Based on the type of violation, the GDPR provides to notify only the privacy authority or also the interested parties.
What to do: reference articles
– Art. 33 of the GDPR requires that in the event of a data breach, the data controller notifies the violation promptly.
– Art.55 specifies that the data controller must notify the competent supervisory authority within 72 hours of becoming aware of it. The data controller must carefully prepare the notification, which must contain some specific information:
- a description of the data breach;
- the name and contact of the data protection officer;
- the likely consequences of the security breach;
- the measures taken or proposed to be taken to mitigate those consequences.
– Art. 34 states that, when the violation of personal data jeopardizes the rights and freedoms of natural persons, the data controller must inform them about the violation. However, there are some exceptions:
- if the data controller has adopted technical and organizational measures that make data incomprehensible to unauthorized persons (eg: encryption);
- when containment measures avoid high risks;
- if the communication to individuals requires excessive effort (in this case, it is possible to proceed with public communication).
GDPR: the accountability principle
The accountability principle is one of the pillars of the GDPR: data controllers must be able to demonstrate that they have implemented appropriate measures to ensure compliance with data protection principles. For example, the data controller must have:
- implemented appropriate technical and organizational measures;
- taken into account the risks inherent in processing operations;
- adopted measures to ensure an adequate level of security;
- implemented measures to ensure the confidentiality, integrity, availability, and resilience of data processing systems;
- taken into account the risks posed by data processing operations.
The data controller must also take into account the nature, scope, context, and purposes of data processing when implementing appropriate technical and organizational measures.
How to prevent data breaches
The best way to deal with data breaches is to prevent them from happening in the first place. But which are these appropriate technical and organizational measures already mentioned? Here, a few examples.
- Technical measures:
– data encryption: data encryption is a process that makes data unreadable and unusable by unauthorized persons. Data encryption is an effective way to protect data in transit, as well as data at rest;
– access control: data controllers must implement procedures and technical measures to ensure that only authorized persons can access personal data (like multi-factor authentication or biometric recognition);
– pseudonymization: is a technique that involves replacing data that could identify a data subject with one or more artificial identifiers (pseudonyms);
– data minimization: data controllers must ensure that only the minimum amount of data necessary for the purposes of data processing is collected and processed;
– physical security measures to prevent unauthorized access, destruction, or damage (eg: locked cabinets, data rooms).
- Organizational measures:
– Data Protection Impact Assessments (DPIAs): data controllers must carry out DPIAs to assess the risks posed by data processing operations and take appropriate measures to mitigate those risks;
– data protection by design and by default: data controllers must implement data protection principles from the outset of data processing operations, as well as integrate them into their systems and processes;
– training of employees: employees need an adequate training on data protection principles and data security measures.