Personal data breach (data breach)
Personal data breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. It is not limited to the loss of data or to the unauthorised access to personal data.
Examples: access to data by an unauthorised person; accidental or unlawful action (or failure of action) by the controller or the processor; sending data to the wrong recipient; loss or theft of a device containing personal data; alteration or unauthorised modification of personal data; loss of availability of personal data.
It is essential to promptly detect whether the event is a data breach and take the appropriate measures to cope with it. If a data breach has occurred, it is required to notify it to the supervisory authority and in certain cases to communicate it to the data subjects affected.
Anyway, a record of data breaches, whether they are to be notified to the supervisory authority or to be communicated to data subjects or not, is to be maintained.
When to notify a personal data breach to the supervisory authority
The GDPR requires notification of a personal data breach to the supervisory authority only when it may result in a risk to the rights and freedoms of individuals. Therefore, this should be established taking into account the likeliness and gravity of the personal data breach and its consequences and adverse effects for the data subject. For instance, these criteria should be appropriate:
1. type and nature of personal data breached (e.g.: information considered of the utmost confidentiality, special categories of personal data)
2. number of data subjects affected
3. effects which the breach may entail to data subjects (e.g.: identity fraud, loss of control over personal data, physical, material or non-material damage, financial loss, economic or social disadvantage).
Example to be notified: theft of a filing system containing personal data relating to customers: there may be an identity fraud or unlawful use of means of payment (economic loss)
Example not to be notified: loss and unlawful access to a directory containing staff’s phone numbers.
A data breach shall be notified to the supervisory authority «without undue delay» and, where feasible, «not later than 72 hours» after having become aware of it. Where such notification cannot be achieved within 72 hours, it shall be accompanied by the reasons for the delay.
The Italian supervisory authority has made available a free downloadable template in PDF format (Italian version) to notify a data breach.
When to communicate a personal data breach to data subjects
The communication of a personal data breach to data subjects is required only when it is likely to result in a high risk to the rights and freedoms of persons affected. In principle, the data breach should be communicated to the affected persons directly. Nonetheless, the GDPR recognises that this may imply a disproportionate effort. In such a case, the controller can inform data subjects in an alternative and equally effective manner (e.g.: a public communication). Besides, the GDPR provides for conditions which, if met, do not require communication to data subjects in the event of a data breach.
To learn more, click here, read FAQs o contact me.
Leave a Reply