GDPR The Basic Facts — Data Breaches
This e-book is derived from a full GDPR course I created that has had over 11,000 student enrolments. I thought it would be useful to provide a version on Medium. Data protection law can be complex and an e-book cannot be sure to cover your organisation’s circumstances, so be sure to seek professional advice if you have any doubts when processing personal data.
In this chapter I cover the concept and consequences of Data Breaches.
A personal data breach occurs when an organisation has lost control over their processing of personal data.
A personal data breach has two distinct characteristics;
1. It involves a breach of security
2. That breach of security has led to the destruction, loss, alteration, disclosure of or unauthorised access to personal data
A breach of security is not confined to incidents where someone has maliciously obtained personal data. The definition is much wider and includes;
· Data integrity failures, such as corruption of data
· Confidentiality failures such as theft or accidental disclosure
· Data loss, such as accidental loss or malicious destruction
· Data transfer to unauthorised parties
The GDPR requires any organisation that becomes aware of a personal data breach that could affect the rights and freedoms of individuals to report it to the appropriate regulatory authority within 72 hours. Each regulator in the EU Member States will have a mechanism for receiving data breach notifications; generally via a form on their website.
The intention behind this regulation is to prevent organisations from keeping quiet and hoping that the bad news will go away. Whilst this is a tempting option for organisations, it is bad for the data subject as the loss of their personal data may expose them to a risk of identity fraud. If people know about the loss of their data they may be able to take some precautionary actions, such as monitoring their credit profile.
Recent revelations about major breaches of personal data that were kept secret from regulators and the individuals affected have ensured that the regulator will take a dim view of delaying tactics. The 72 hour reporting deadline from the time an organisation becomes aware of a breach will strengthen the regulator’s enforcement options if an organisation delays their report.
In short, there will be a notifiable personal data breach whenever any personal data is unexpectedly lost, destroyed, corrupted or disclosed and the rights and freedoms of the individual are at risk. The latter point here is important. Not all personal data breaches must be notified; if individuals’ rights and freedoms are unlikely to be affected, then the organisation can choose not to notify the regulator.
For example, if a small amount of low value data is lost and it is protected by high-strength encryption, then an organisation may decide that the risk to the data subject is low enough that a report is not needed.
Each decision taken must be documented and kept on a register, regardless of whether breaches have been notified of not. The record of data breaches may be inspected at any time, so that regulators have the option to review whether a business has been managing its reporting requirements effectively.
If you enjoy reading stories like this and want to support me as a writer, consider signing up to become a Medium member. It’s $5 a month, giving you unlimited access to stories of Medium. If you sign up using my link, I’ll earn a small commission.
Here are the links to the rest of the book.