According to the GDPR (Article 4, Section 12):
“Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Why data breach is a big deal? Because a single breach can result in, but not just limited to:
- Loss of control over personal data; Limitation of rights
- Discrimination; Identity theft
- Fraud; Financial loss
- Unauthorised reversal of pseudonymization
- Reputational damage; Loss of confidentiality protected by professional secrecy
Only recently, we witnessed data breach in transport industry in Sweden, an accidental disclosure of customer data. And another, that is one of the largest breaches, in the UK was witnessed a couple of months ago.
To prevent a data breach and also be prepared when one occurs, you have to keep asking certain questions such as:
- Have we done the Privacy Impact Assessment?
- What is the stage when we need to appoint a Data Protection Officer?
- Do we have sufficient technological safeguards in place? Are we ensuring Privacy by Design and Privacy by Default?
- Are we maintaining an internal breach register?
- Where do we store data? Who has access to data?
- Do we properly redact any personal information that is not required for any purpose?
- How do we know when a data breach occurs? Do we have internal SOPs to test failure scenarios?
In case a data breach occurs, here is the “starter” notification checklist:
- Describe nature of the personal data breach
- Recommend actions to mitigate potential adverse effects
- Ensure notification to the subject and supervisory authority is made within 72 hours
- If timing obligation isn’t met, reasons will have to be provided to the supervisory authority
Key questions to conclude upon would be:
- How prepared are you to prevent a data breach?
- How prepared are you to act in case one occurs?
- How prepared is your team?