A data breach is one of the risks to which many organisations are exposed. One of the obvious ways of preventing a data breach – and of avoiding a fine imposed by the Dutch Data Protection Authority (DPA) – is by complying with the various obligations set out in the General Data Protection Regulation (GDPR). But what happens if you stick to the rules and yet are still affected by a data breach? What should you do?
A new set of guidelines recently published by the European Data Protection Board (EDPB) provides more clarity about this and also helps organisations (as ‘data controllers’) assess the degree of risk involved. If it becomes clear that there is indeed a risk involved, you must provide full information on the data breach and do so in good time.
Make sure you’re not fined by the DPA on account of a data breach!
The GDPR has been in effect for almost three years now and during this time a large number of organisations have fallen victim to their first data breaches. During the same period, the DPA has already imposed a range of penalties on organisations that have failed to meet their data security obligations. These penalties have included six hefty fines, including one for a whopping €600,000 for failing to report a data breach on time.
In other words, it’s vitally important to avoid a fine by carefully following all the rules if you suspect that your organisation has suffered a data breach.
So what’s the procedure if you discover that there’s been a data breach?
This is what you should do if one of your staff reports a possible data breach:
Step 1: Check to make sure that there has indeed been a data breach;
Step 2: If there has, record the data breach in your data breach register and take any necessary preventive or remedial action;
Step 3: Check whether you need to report the data breach to the DPA and/or to those affected by it and, if you do, make sure you do so in good time.
The basic rule is that any data breach must be reported to the DPA within 72 hours of its discovery, unless there is unlikely to be any risk involved. Those affected by the data breach (the ‘data subjects’) must be informed only if there is a high degree of risk involved.
Experience has shown that many organisations have trouble working out whether a data breach should indeed be reported to the DPA and/or to those affected. Similarly, they also find it hard to assess the degree of risk involved.
New guidelines on reporting data breaches
This is why the EDPB recently published a new set of guidelines on the notification of data breaches. These are supplementary to the already existing general guidelines on data breaches. Note that, although the new guidelines have not yet officially come into force, the public consultation has now come to an end and so they should do so in the near future.
Examples of data breaches are intended to help organisations assess the degree of risk
The guidelines are intended to help organisations assess these risks. The EDPB has decided to provide examples of common types of data breaches and to indicate:
- what measures the organisation in question should have taken prior to the incident;
- what measures the organisation is required to take after the incident;
- how to assess the risks; and
- when the DPA and the data subjects should be notified.
The examples of data breaches contained in the guidelines include the following:
- an email containing sensitive information that is sent to an unintended recipient;
- a letter containing personal data that is sent to the wrong address;
- a situation in which identity fraud results in the alteration of an email address in an organisation’s database, so that emails are henceforth sent to an email address other than that of the customer in question;
- theft of documents containing personal data.
Advice about the GDPR and the registration of data breaches
Would you like to know how to comply with your obligations in relation to data breaches? Or would you like to find out more about how to handle data breaches or how to draw up a policy on data breaches? Feel free to get in touch with me or with one of the other specialists in privacy law and the GDPR here at RWV Advocaten. We’ll be only too pleased to help.