Pesonal data breaches: How to react
The development of new technologies carries an increase in the risks to the right to respect for privacy, triggering a need for the stablishment of new rules specifically regulating and protecting the processing of citizens’ personal information.
Suffering a security incident has become a matter of probability. This is a reality that is difficult to accept, not only from a technical point of view, but also because of the economic consequences it can have on the entity victim of it.
It is therefore important to try to prevent personal data breaches and, if they do occur, to manage them appropriately, especially when they may put the rights and freedoms of individuals at risk.
What is a personal data breach?
While all personal data breaches are information security incidents, not every security incident is necessarily a personal data breach.
The Spanish Data Protection Agency (hereinafter “AEPD”) defines a security breach as “a security incident resulting in the accidental or unlawful destruction, loss or alteration of, or unauthorised disclosure of or access to, personal data processed by a data controller”.
Therefore, for an incident to qualify as a personal data breach, personal data must be compromised.
When must data subjects be notified of a security breach?
Pursuant to Article 34 of the General Data Protection Regulation (hereinafter GDPR), data controllers are obliged to notify data subjects of personal data breaches that may pose a high risk to their rights and freedoms.
While the guidance drafted by the AEPD in 2018 established a simple mathematical formula to discern the need (or not) to communicate the breach, the new guidance obviates all mathematical criteria to focus on the importance of analysing the nature and consequences of each breach on an individual basis.
Specifically, the following are established as fundamental requirements for this purpose: (i) analysing the severity of the risk generated by the breach, (ii) the probability of this risk materialising and (iii) the impact on Fundamental Rights.
Protocol to follow in the event of a personal data security breach in your company
In the event of a personal data breach, an organised action plan must be drawn up. Among other things, such a plan should specify the actions to be taken that are aimed at determining the root cause of the breach; determining the extent of the breach along with its impact and the severity of its effects; or neutralising its damage.
In addition, under the GDPR, companies must document any breach of personal data security, including details of the facts, its effects and the remedial action taken. This obligation becomes essential in the context of being investigated by the AEPD, as the documentation produced will allow the supervisory authority to verify compliance with the obligations imposed in the GDPR.
It should be noted that, in addition to the obligation to notify the data subjects of the breach, the GDPR in its Article 33 imposes on controllers of a personal data processing operation the obligation to notify the competent supervisory authority of personal data breaches where they are likely to constitute a risk to the rights and freedoms of individuals.
All in all, a personal data breach can be the seed from which adverse effects of significant magnitude can germinate for individuals, liable to cause physical, material or immaterial damages.
Therefore, at Letslaw by RSM we recommend being aware and implementing preventive measures -which entail economic costs-, even if they do not translate a priori into a clear return on investment, they will reduce the risk of such breaches in the long run.
In any case and because zero risk does not exist, we recommend all victim of a security breach to get in contact with professionals in the field who can asses the specific case and prevent any regulation breach that could cause an important sanction.
Letslaw by RSM has specialists in digital law ready to help you prevent a security breach or mitigate its effects if it has already occurred.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
RGPD: ¿Cómo afecta al e-mail Marketing?
PUMA refuerza la identidad de su famoso logo “Forme Stripe”
Advantages and disadvantages of stock options and phantom shares
¿Es legal la compra de bases de datos?
La regulación publicitaria de los complementos alimenticios
El ex líder catalán contra la marca de jamón andaluza que supuestamente evoca su imagen