Data breach – learn more

 

 

Personal data breach (data breach)

Personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. One of the requirements of the GDPR is that, by using appropriate technical and organisational measures, personal data shall be processed in a manner to ensure the appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Accordingly, both controllers and processors are required to implement technical and organisational measures to ensure a level of security appropriate to the risk posed to the personal data being processed.

A key element of any data security policy is being able, where possible, to prevent a data breach and, where it nevertheless occurs, to react in a timely manner. To take the appropriate steps to address a data breach, the controller should be able to recognise it.

The meaning of destruction should be quite clear: it occurs when personal data no longer exist or no longer exist in a form which is of any use to the controller. The meaning of damage should also be quite clear: a damage occurs when personal data have been modified, altered or are no longer complete. In the case of loss, personal data may still exist, but the controller may have lost their control or may not be able to access to data, or, otherwise, data are no longer in the controller’s possession. Unauthorised and unlawful processing may include the disclosure of personal data to (or the access by) recipients not authorised to receive (or to access to) personal data or any other form of processing infringing the GDPR.

There are three types of data breach:

1. confidentiality breach, where there is an unauthorised or accidental disclosure of or access to personal data

2. integrity breach, where there is an unauthorised or accidental alteration of personal data

3. availability breach, where there is loss, or accidental or unauthorised destruction of or access to personal data.

A data breach may concern confidentiality, integrity and availability at the same time, as well as a combination of these.

Whereas determining if there has been a breach of confidentiality and integrity of data is quite clear, whether there has been an availability breach may be less obvious. A breach should always be regarded as an availability breach when there has been a permanent loss of, or destruction of, data. For instance, it occurs when data have been deleted either accidentally or by unauthorised persons, or in the example of securely encrypted data, the decryption key has been lost. If the controller cannot restore access to data, for example from a backup, this is regarded as a permanent loss of availability. It may occur a loss of availability also when there has been a meaningful disruption of a normal service, such as an energy power failure.

A security incident which results in a lack of availability of personal data for a period of time is also a type of breach, since the lack of access to data may have a meaningful impact on the rights and freedoms of individuals. On the contrary, the lack of availability of data due to planned system maintenance being carried out is not a breach of security. A temporary disruption of energy power is not a breach of security as well.

As with the permanent loss or destruction of personal data (or any other type of breach), a temporary loss of availability of personal data should be recorded, in accordance with the principle of accountability.

Therefore, a record of all data breaches shall be maintained, regardless of the obligation of the notification to the supervisory authority and, if the case, of the communication to the affected data subjects. 

The obligations of the processor as regards data breach

The GDPR requires that both the controller and the processor should implement technical and organisational measures to ensure a level of security to the risk posed to the personal data being processed. Therefore, both controllers and processors are required to have protection procedures appropriate to establish immediately whether a data breach has occurred, which then determines whether there is the obligation of notification.

Even though the controller retains overall responsibility for the protection of personal data, the processor plays an important role to enable the controller to comply with its obligations, including the obligation of notification to the supervisory authority and, in certain cases, of communication to the affected data subjects.

Processing carried out by a processor shall be governed by a contract and the GDPR provides that the processor shall assist the controller in ensuring compliance with all the obligations of the GDPR, which means also the obligations concerning data breach. If the processor becomes aware of a breach concerning personal data processed on behalf of the controller, it must notify it to the controller «without undue delay». It should be pointed out that the processor does not need to first assess the likelihood of risk arising from a breach before notifying the controller; this assessment must be made by the controller «on becoming aware» of the breach. The processor just needs to establish whether a breach has taken place and then notify it to the controller. The controller engages a processor to achieve its purposes, therefore, in principle, the controller is «aware» of the breach once the processor has informed it of the breach.

The obligation of the processor to notify the breach allows the controller to address the breach and establish whether or not it is required to notify the supervisory authority and communicate to the affected persons. The controller might also investigate the breach, since the processor might not have knowledge of all the facts relating to the matter: for instance whether the controller has a copy, or a backup of data destroyed or lost. This may affect whether the controller would need to notify the breach to the supervisory authority and communicate it to persons involved.

The GDPR does not provide for a specific limit within which the processor is required to notify the controller. It only requires that the processor informs the controller «without undue delay». Therefore, the processor needs to promptly notify the controller, providing further information in phases when more details become available. This is quite important to help the controller to meet the requirement of the obligation of the notification to the supervisory authority «without undue delay» and, anyway, «within 72 hours».

Where the processor provides the service to multiple controllers affected by the same incident, the processor will have to report the details of the incident to each controller.

The processor can make the notification on behalf of the controller only if it has been given a proper authorisation by the controller and this is part of the contractual agreements between the controller and the processor. Anyway, the legal responsibility to notify remains with the controller.

When to notify a personal data breach to the supervisory authority

The GDPR requires to notify the data breach to the supervisory authority when the breach is likely to result in a risk to the rights and freedoms of individuals. Not necessarily the risk needs to be high.

In fact, the controller should notify the data breach to the supervisory authority «without undue delay» and, where feasible, «within 72 hours» after having become «aware» of the breach, «unless it is unlikely to result in a risk to the rights and freedoms of data subjects».

It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and data subjects concerned. In addition, it should be ascertained that the notification has been made «without undue delay», taking into account the nature and the severity of the personal data breach and the consequences and its adverse effects for the data subject.

It is quite important to clarify when the controller should be regarded as «becoming aware» of a data breach. It can be considered that the controller should be regarded as «aware» when it has reasonable certainty that a security incident has taken place and has led to the personal data being compromised. Therefore, the controller is required to put in place all the necessary measures to ensure that it can becomes «aware» of any breach in a timely manner so that it can take appropriate action. The exact moment depends on the circumstances of the breach. In some cases, it will be relatively evident from the outset that there has been a breach, whereas in others, it would take time to establish whether personal data have been compromised. Anyway, the emphasis should be on the prompt action to investigate the incident in order to establish whether personal data have indeed been compromised and, if so, to take remedial action and notify, if required. It may take the controller a short period of investigation to determine whether the breach has indeed occurred. During this period, the controller should not be regarded as being «aware». The investigation should begin as soon as possible in order to determine with reasonable certainty where a breach has occurred; a more detailed investigation may then be carried out. Once the controller has become «aware» of a breach which requires notification, the notification should be made «without undue delay», and where feasible, «not later than 72 hours». The GDPR recognises that the controller may not always have all necessary information concerning a breach within 72 hours from becoming «aware» of the breach, since full and comprehensive details of the incident may not always be available during this period. Therefore, the GDPR allows for a «notification in phases». If there is certainty that there has been a notifiable breach, it is recommended notifying it within 72 hours, explaining that further details will be provided later.

The supervisory authority should agree how and when further information should be provided. This does not prevent the controller from providing other relevant information at any time, once it has knowledge of further relevant details of the breach which need to be reported to the supervisory authority.

Information to be provided to the supervisory authority

The GDPR prescribes that the notification should contain, at least:

1. description of the nature of the breach including, where feasible, the categories and the approximate number of data subjects concerned, and the categories and the approximate number of personal data records concerned

2. name and contact details of the DPO or of another contact point where more information can be obtained

3. description of the likely consequences of the data breach

4. description of the measures taken or proposed to be taken by the controller to address the data breach, including, where appropriate, to mitigate its possible adverse effects.

The GDPR does not define the categories of data subjects or personal data records. The categories of data subjects should refer to the various types of individuals whose data have been compromised (e.g.: employees, vulnerable people, patients, customers, children). The categories of personal data records refer to the various type of records which the controller may process (e.g.: health data, educational data, social care information, financial details, bank account numbers, credit cards details).

Among others, the purpose of notification is limiting damage to persons. Therefore, if the types of data subjects or the types of personal data indicate a particular risk of damage arising from a breach (e.g.: identity theft, fraud, financial loss), it is important that the notification indicates these categories. By doing so, the obligation of describing the categories is linked to the obligation of describing the likely consequences of the breach. The fact that there is no precise information available (such as the exact number of data subjects concerned) should not prevent from making a prompt breach notification. The GDPR allows for approximations to be made in the number of persons affected and the personal data records concerned. Therefore, the controller should focus on addressing the adverse effects of the breach rather than providing exact figures. When it is clear that a data breach has occurred, but the extent of it is not yet known, a «notification in phases» is a safe way to meet the notification obligation. The different types of breaches (confidentiality, integrity and availability) may require further information to comprehensively explain the circumstances of each case. The supervisory authority may request other details in order to investigate the breach.  

In August 2019, the Italian supervisory authority issued a format (Italian version) to notify a data breach. The notification shall be sent to the supervisory authority to the certified e-mail protocollo@pec.gpdp.it or to the e-mail protocollo@gpdp.it, signed digitally or by autograph signature. In the latter case, a copy of an identity document shall be attached to the notification. The message must contain the subject «Notification of data breach» and, on an optional basis, the controller’s identity.

When to communicate a personal data breach to data subjects

In certain cases, the controller is required to communicate the breach to the persons concerned. The GDPR prescribes that the controller shall communicate the breach to data subjects, «without undue delay», when it is likely to result in a high risk to the rights and freedoms of persons. The controller should bear in mind that the notification is required if the breach is likely to result in a risk to the rights and freedoms of data subjects, whereas the communication to data subjects is required only if the breach is likely to result in a high risk. The communication should be made «without undue delay», which means as soon as possible. The aim of the communication is to provide specific information about steps which persons affected should take to protect themselves from any adverse effects arising from the breach.

Information to be provided to data subjects

The communication to data subjects should contain, at least:

1. description of the nature of the breach

2. name and contact details of the DPO or other contact point

3. description of the likely consequences of the breach

4. description of the measures taken or proposed by the controller to address the breach including, where appropriate, to mitigate its possible adverse effects.

The controller may provide additional information.

The communication should describe in a clear and plain language the nature of the breach.

As a rule of thumb, the data breach shall be communicated to data subjects directly, unless doing so would involve a disproportionate effort. In this case, the controller shall instead make a public communication or take a similar measure which allows to inform data subjects in an equally effective manner.

Flowchart showing notification and communication requirements

 

To learn more, read FAQs or contact me.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Privacy Policy - Cookie Policy - Website terms & conditions - Website map

Tiziana Minella - Via Vittoria Colonna, 32 - 10155 Torino (TO - Italy) - VAT IT03152590018 - mob. +39 366.4761338 - + 39 338.6626635