Guidelines from the Spanish Data Protection Agency on security breaches
The Spanish Data Protection Agency (AEPD) has strengthened its guidance in recent years on how companies should act in the event of a security breach affecting personal data. Through its Guide for the Management and Notification of Security Breaches and the digital tool Comunica-Brecha RGPD, the Agency aims to ensure that data controllers have consistent and effective procedures in place to prevent, detect and respond to incidents.
What is considered a security breach
Article 4.12 of the General Data Protection Regulation (GDPR) defines a personal data breach as ‘any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed’. The AEPD understands that a breach is not limited to an IT failure but includes any event that may affect the rights and freedoms of individuals whose data are being processed.
Security breaches are generally divided into three main categories:
- Confidentiality breaches, when there is unauthorized access or disclosure.
- Integrity breaches, when data are altered or tampered with without authorization.
- Availability breaches, when information is lost or cannot be recovered.
A single incident may involve several of these scenarios, and what is essential is to assess whether it poses a real or potential risk to the data subjects.
Recommended actions to prevent risks
The best way to deal with a breach is to prevent it. The AEPD recommends conducting regular risk assessments and implementing appropriate technical and organizational measures, such as encryption, multifactor authentication and continuous system updates. It is also essential to establish clear internal policies on incident management, access control, and data backups, integrating them into the company’s compliance program.
Staff training is a critical element, as many incidents originate from human error. Employees should know how to identify and report potential threats such as phishing attempts or suspicious access. It is also important to have secure contracts with data processors, requiring immediate notification of any incident and cooperation in resolving it.
Finally, the AEPD advises carrying out breach simulations and internal audits to assess response capacity and detect vulnerabilities. Prevention, anticipation, and continuous improvement are key to minimizing the impact of potential incidents.
How a security breach should be managed
When a breach occurs, the data controller must act swiftly, following a predefined action plan. The first step is to contain the damage and isolate the affected systems. Next, the cause of the incident must be identified, and corrective measures applied to eradicate the source of the problem. Once the situation is under control, the organization should proceed to recover the affected data and services, ensuring that everything is functioning properly and that each action is documented.
Under the GDPR, the breach must be notified to the AEPD without undue delay and, where feasible, within 72 hours of becoming aware of it, unless it is unlikely to pose a risk to the rights and freedoms of individuals. The notification must be submitted through the Agency’s official online form and include the nature of the incident, the number of individuals affected, the possible consequences, and the measures adopted.
If the breach presents a high risk, it must also be communicated to the affected individuals clearly and understandably, informing them of the incident and any steps they can take to protect themselves. Even if the breach is not notifiable, the controller is required to record it internally, documenting its causes and the actions taken, in line with the GDPR’s accountability principle.
Security breaches are, in many cases, unavoidable, but their impact can be significantly reduced if organizations have effective preventive mechanisms and a well-structured response protocol. The AEPD reminds organizations that managing a breach is not merely a legal obligation but also an opportunity to demonstrate a company’s genuine commitment to privacy and information security.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
Pesonal data breaches: How to react
Use of video cameras for security in the domestic sphere: how does it affect data protection?
What is the Digital Rights Observatory in Spain and how does it work?
The Phone House and the Data Protection Agency face off in court over a 6.5€ million fine
AEPD bans the use of facial recognition technologies for surveillance in online exams
The AEPD Reports That Requesting a Copy of ID Card or Passport at Accommodations Is Not Permitted