Alongside technological development, numerous tools and methods have emerged with the aim of gaining unauthorized access to personal data. Although the tools used for cyber-attacks are becoming increasingly sophisticated, personal data continues to be most at risk from human error and carelessness. Regulation (EU) 2016/679 of the European Parliament and of the Council (the “General Data Protection Regulation,” “GDPR“) sets out detailed requirements for businesses and organizations regarding the collection, storage, and processing of personal data, compliance with which is essential for the protection of personal data and the proper enforcement of data security. The GDPR also contains provisions on how data controllers should act in the event of a personal data breach. In this article, we summarize the most important facts about personal data breaches.
Definition of the personal data breach
During the course of processing personal data, data controllers must take the measures specified in the GDPR to ensure the security of data processing. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
For an incident to be considered a personal data breach, the violation of data security must be of such a nature that it poses a substantial risk to the protection of personal data. Data controllers need to be aware that it is not only the loss of personal data that constitutes a personal data breach. Personal data breach include:
- Breaches of confidentiality, which may occur through the unauthorized disclosure of personal data (e.g., an email sent to the wrong recipient, or if documents containing personal data are saved in the wrong place, they may be shared with persons who are not otherwise authorized to access them, including other employees of the company). However, confidentiality breaches may also result from intentional conduct (e.g., unauthorized access through phishing attacks).
- Breaches of integrity, which occur when personal data that has been processed is altered (e.g., when a person with access to accounting records – whether authorized or unauthorized – rewrites payments or breaks into the database in such a way that personal data gets deleted).
- Breaches of availability, which refer to the destruction of processed data (whether accidental deletion or temporary server failure) or loss of access to data (e.g., loss or theft of a laptop or data storage device containing a copy of the customer database).
In summary, a personal data breach occurs when personal data is accessed without authorization, transferred without permission, or becomes inaccessible due to, for example, encryption by ransomware, accidental loss, or destruction.
Consequences of a personal data breach
Personal data breaches, if not handled properly and in a timely manner, can cause serious physical, financial, or non-financial damage to the people involved. Such consequences may include financial loss, identity theft, damage to reputation, or disclosure of confidential information. Furthermore, data protection incidents may lead to a loss of trust in the company as a data controller, and their improper handling may result in sanctions by the authorities.
Procedure to follow in the event of personal data breaches
Given that personal data breaches can have serious consequences, the data controller is obliged to handle the situation in accordance with the GDPR upon becoming aware of the breach. However, this requires that anyone who notices such a breach immediately report it to the designated data protection officer. It is advisable to set out the procedure for this in internal regulations.
Record of the personal data breaches
Under the GDPR, the data controller must keep a record of personal data breaches, including the facts relating to the breach, its effects and the remedial action taken.
Reporting personal data breaches
Personal data breaches shall be reported to the National Authority for Data Protection and Freedom of Information (“NAIH“) without undue delay and, where feasible, no later than 72 hours after the personal data breach has come to the knowledge of the controller. If the notification is not made within 72 hours, the reasons for the delay must be attached to the notification.
For the notification, the NAIH also provides a form available on its website, which can be submitted electronically (e.g., via official storage space or e-Paper service) by data controllers who are required to conduct electronic administration or who voluntarily undertake to do so.
The report must include:
- the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- the likely consequences of the personal data breach;
- and the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Last but not least, the report must include a copy of the relevant section of the report of the personal data breaches relating to the incident in question.
The report may be omitted only in the case of so-called ‘bagatelle’ incidents. Such incidents are those which are unlikely to pose a risk to the rights and freedoms of natural persons, but even in such cases, the incident must be recorded in the register.
Communication with the data subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The purpose of this measure is to enable the persons concerned to take the necessary precautions (e.g. reporting the theft of identity documents, blocking bank cards).
Risks should be assessed individually for each incident. During the process, aspects such as the type of personal data (e.g., special data) and the amount of data, the number of data subjects, and the possibility of identifying data subjects must be taken into account.
The data subjects do not need to be informed of a high-risk data protection incident if:
- personal data is encrypted in such a way that it cannot be interpreted;
- the data controller has since implemented appropriate protective measures;
- or would require disproportionate effort on its part. (In such cases, the persons concerned shall be informed by means of public communication or similar measure whereby the data subjects are informed in an equally effective manner.)
Summary
Personal data breaches represent a very broad definition of data security breaches. Such breaches can cause serious financial or non-financial damage to those involved, and if they are not handled properly, they can result in fines of up to several million forints. Data controllers are obliged to ensure the protection of personal data already during the processing of data. Therefore, prevention should be the primary focus. Properly implemented security measures (e.g., establishing authorization systems, adequate protection of passwords and devices) may be suitable for preventing breaches from occurring. In order to determine and comply with these, it is advisable to prepare internal procedures and action plans in advance and review them at regular intervals, as well as to provide data protection training to persons involved in data processing (e.g. employees) at appropriate intervals. In the event of a concrete personal data breach, it is also recommended to involve an expert, given the special rules of formalized official procedures and the need for individual assessment.
Image source: pixabay, pexels.com