The General Data Protection Regulation has been in force for a little over two years. It was created to truly harmonize data protection laws in Europe, and in order to do that, it has brought several changes to the previous regime. This time, we will explain what a data breach is and what steps your company has to take should it ever happen in it.

The General Data Protection Regulation has been in force for a little over two years. It was created to truly harmonize data protection laws in Europe, and in order to do that, it has brought several changes to the previous regime. Among them are the greater level control given to data subjects, an increased territorial scope of application for the Regulation, and even new roles, such as that of Data Protection Officer.

1. What is a data breach?

A personal data breach is defined under the GDPR by the following elements:

• It is a breach of security
• That leads either to the accidental or unlawful
• Destruction, loss, alteration, unauthorised disclosure of, or access to
• Personal data transmitted, stored or otherwise processed.

All of the listed elements must be present in order for the event to be a data breach that needs to follow the rules set by the Regulation. If your organization has a breach of security, for instance, that does not involve personal information (defined as information that can either directly or indirectly identify or make a natural person identifiable), it will not be subjected to the GDPR.

2. What should my organization do if a data breach occurs?

The first thing is determining whether your organization is a controller or processor, since your obligations will be different in each case. If a data breach happens, a processor’s only responsibility is notifying the respective controller, without undue delay, of what has happened.

Controllers, on the other hand, will have three main tasks to do:

• Determine whether a breach has really happened
• If a breach has indeed happened, determine whether it poses risk to the rights and freedoms of data subjects
• If the breach poses risk, notify the relevant Supervising Authority without undue delay and, depending on the case, also the data subjects potentially affected.

“Without undue delay”, in these cases, means within 72 hours of the discovery of the data breach.

3. Which information should be included in the data breach notification to my Supervising Authority?

When notifying a data breach, the controller must provide the relevant Supervising Authority with:

• The contact details of its Data Protection Officer or other contact person
• Description and nature of the breach, including information about the categories and approximate number of data subjects and personal data records affected
• Likely consequences and repercussions of the breach
• Measures that the organization has taken and/or proposes to take to mitigate the effects of the breach.

The organization must always keep the records with this information about data breaches, even in cases in which the Authority is not informed because there is no risk to the rights and freedoms of data subjects.

4. When does my organization need to inform data subjects about breaches?

According to article 34 of the GDPR, data subjects must be informed of a personal data breach when it poses a high risk to their rights and freedoms.

While the Regulation itself does not define what these risks are, Recital 75 explains they include risks of physical, material and non-material damage to data subjects. They occur when the processing of data can give rise to discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymization, and any other significant economic or social disadvantage.

The likelihood of such damages occurring is particularly high when the data breach involves sensitive information, such as a person’s racial and ethnic origin, political opinion, religion, philosophical beliefs, trade union membership, genetic data, sex life and criminal offenses.

Additionally, there is high risk in cases in which the breach involves the personal data of vulnerable persons (especially children), and when it relates to the processing of large amounts of personal data from a large number of data subjects.

Recital 76 explains that controllers must conduct an objective assessment to establish if the breach poses a high risk, by considering the number of data subjects, the number of data records, the type of personal data, possible consequences and impact of the breach.

In the infographic above, you can find an easy guide to know who needs to be notified and when. It is important to note, however, that there are some key exceptions to this notification rule. A controller does not have the obligation to inform data subjects of a data breach, even when it can result in a high risk to their rights and freedoms, if:

• The personal data is unintelligible (for example, because it has been encrypted and the encryption key has not been compromised)
• Measures were taken to prevent the risk from materializing
• Notifying data subjects would demand a disproportionate effort, in which case the controller needs to make a public announcement about the breach (for instance, through a press release). 

How is your organization handling all the requirements of the GDPR? We know that if you’re following our special series on Privacy & Data Protection Law, you are already well-informed, but how about learning how to make compliance even easier? To get ahead in your compliance journey, try out the Privacy Management Tool for free now!

Contact Xcure team, if you want more information or presentation about the Privacy Management Tool.