The Ultimate Guide to Personal Data Breaches

In today’s digital landscape, organizations entrusted with personal data face significant challenges posed by data breaches. The GDPR requires controllers to not only implement robust security measures but also promptly report breaches and work closely with processors. Controllers are obligated to provide thorough information to authorities and evaluate whether affected individuals need to be notified. Compliance entails diligent documentation and the active involvement of Data Protection Officers (DPOs). Crucially, preventive measures such as implementing strong security protocols and conducting employee training are essential in mitigating breach risks.

Neglecting proper breach management can result in severe consequences, underscoring the importance of proactive approaches.

1. Responsibilities of a controller in case of a data breach

Let’s start by highlighting that Article 32 of the GDPR places responsibilities on both controllers and processors to implement technical and organizational measures for secure data processing. These measures, influenced by factors such as available technology, costs, and the nature of processing, play a crucial role in mitigating data breaches.

Now, when a breach occurs, quick responses from organizations are vital. As per Article 33 of the GDPR, controllers are required to report breaches within 72 hours of becoming aware of them, unless the risks to individuals’ rights are deemed unlikely.

There, the European Data Protection Board (EDPB) emphasizes that a controller is considered ‘aware’ of a breach when there is reasonable certainty that personal data has been compromised due to a security incident.

While we can agree that in some situations this will be obvious from the very start, it may take some time in others. Regardless, controllers should quickly initiate an investigation to ascertain whether a personal data breach has happened. – note that during this short investigation period, the controller may not be considered “aware” yet!

Furthermore, following Article 33(2) of the GDPR, processors are obligated to inform controllers—rather than the supervisory authority—when they become aware of a data breach. Consequently, controllers should have agreements in place with their processors,  ensuring that they are promptly notify  in case of a breach, aiding their responsibility to report to the supervisory authority within the 72-hour timeframe.

1.1. What information should a controller provide to the Supervisory Authority in case of a breach?

When it comes to the controller reporting a breach to the supervisory authority, as outlined in Article 33(3) of the GDPR, it should, at a minimum:

  1. Describe the nature of the breach, including the categories and approximate number of affected data subjects and personal data records.
  2. Provide the name and contact details of the data protection officer (DPO) or a contact point for further information.
  3. Explain the likely consequences of the breach.
  4. Outline the measures taken or planned to address the breach, including steps to mitigate potential adverse effects.

An interesting aspect of the GDPR is that it permits approximations in cases where precise details are not available, ensuring prompt breach notification. Consequently, controllers may need to conduct further research and provide more information gradually. If the controller explains the delay, it is permissible.

Keep in mind that controllers can also choose to offer more information than what is strictly required under Article 33(3)(a) to (d) to enhance transparency!  

1.2. Are controllers required to report a data breach to a Supervisory Authority?

Article 3 Article 33(1) of the GDPR highlights that breaches posing no risk to the rights and freedoms of individuals don’t require notification to the supervisory authority.

You could consider, for instance, a situation where personal data is already publicly available, making its disclosure not pose a risk. Similarly, if personal data is protected with state-of-the-art encryption, regularly backed up, and unlikely to be accessed by unauthorized parties, an immediate notification may not be required. However, keep in mind that this assessment could evolve over time, notably if the encryption key was leaked.

Having said this, data controllers should still objectively assess the likelihood and severity of the impact of the breach on rights and freedoms to establish if proper notification is needed.

1.3. When should a controller notify the breach to affected individuals?

If we now look at Article 34(1) of the GDPR, the controller is obligated to promptly inform data subjects of a personal data breach if it’s likely to result in a high risk to their rights and freedoms. As you might have noticed, this establishes a higher threshold compared to Article 33 of the GDPR, ensuring that notifications to data subjects are reserved for more serious breaches.

Moreover, looking at the language in Article 34(1), it emphasizes notifying data subjects ‘without undue delay’ or, in simpler terms, ‘as soon as reasonably possible,’ considering the potential high risks to the data subject. Unlike Article 33, Article 34 doesn’t specify a fixed 72-hour deadline. Instead, the timeframes are assessed based on the nature and severity of the breach and the level of risk to individuals.

Bear in mind that the implementation of measures against ongoing breaches, aiming to mitigate consequences for individuals, could justify a delay in the notification!

1.4. What information should a controller provide to the affected individuals?

Once it is established that the controller must inform individuals, Article 34(2) of the GDPR outlines that he should, at the very least, provide the following information:

  1. A description of the nature of the breach.
  2. The name and contact details of the data protection officer or other contact point;
  3. A description of the likely consequences of the breach; and
  4. A description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Typically, notification of a data breach should be directly communicated to the individuals affected— think for instance of direct messages or banners on websites. However, if such communication poses a significant challenge, public announcements or similar measures might be considered.

1.5. Are controllers required to report a data breach to affected individuals?

Article 34(3) of the GDPR outlines three exceptions to the controller’s duty to notify data subjects. Note that to adhere to the accountability principle, controllers must demonstrate to the supervisory authority that they meet one or more of these specified conditions.

  1. The controller applied appropriate technical and organizational measures before the breach, such as state-of-the-art encryption.
  2. Post-breach, the controller promptly nullified the high risk to individuals’ rights and freedoms, for instance, by taking immediate action against the unauthorized access.
  3. It would be a disproportionate effort to contact individuals, for instance in cases where contact details are lost or unknown, like in a physical document storage breach.

Keep in mind that if a controller chooses not to notify, the supervisory authority might require communication if a high risk is still perceived. As you could expect, the supervisory authority intervention may lead to sanction if the decision of the controller to not notify lacks merit.

Furthermore, controllers should pay close attention to national law, as several Member States have introduced their own rules concerning the notification of breaches to data subjects!

2. How to assess the risk & high risk resulting from a breach?

When a data breach is identified, the controller’s responsibility extends beyond containment—it also involves assessing the potential risks and their severity. These risks arise when the breach has the potential to cause physical, material, or immaterial harm to individuals, including discrimination, identity theft, financial loss, or harm to reputation. As you could expect, breaches involving sensitive data increase the risk of such damages.

2.1. EDPB Risk Assessment

As discussed earlier, the key factor triggering the notification to individuals is the possibility of a high risk.

Following both Article 33 and Article 34, when a controller assesses the risk posed to data subjects in a breach, he needs to consider two main factors: the severity of the potential impact and the likelihood of it happening.

While this assessment may appear somewhat unclear, we can gain better insights by looking at  the European Data Protection Board (EDPB) assessment, which considers the following criteria:

  • Type of Breach: For instance, the unavailability of data due to a short blackout might have a lower impact than a breach of confidentiality of medical records. 
  • Nature, Sensitivity, and Volume of Personal Data: The impact depends on the nature and sensitivity of the compromised data. Hence, the disclosure of medical or financial information could have more severe consequences for individuals than the disclosure of a phone number.
  • Ease of Identification: The easier it is to (directly) identify data subjects from the breach, the higher the risk. As such, encrypting data at rest and in transit, or implementing pseudonymization can drastically reduce the ease of identification.
  • Impact for Individuals: A controller should consider the potential damage to individuals, especially if the breach involves special categories of data that could result in identity theft, physical harm, psychological distress, or damage to reputation.
  • Special Characteristics of Individuals: Breaches may disproportionately affect vulnerable individuals, such as children or medical patients, who may be at greater risk of harm.
  • Number of Affected Individuals: A data breach can do significant damage, impacting a small number of people or perhaps thousands of people. While larger breaches have a greater overall impact, it’s critical to remember that even a single person breach can be critical, depending on the kind of data compromised and the context!
  • Special Characteristics of the Data Controller: The nature and activities of the data controller play a role in assessing the risk. For instance, a financial or medical organization handling special categories of data poses a greater threat to individuals if a breach occurs.

With that in mind, when a controller assesses the risk that is likely to result from a breach, he should, on a case-by-case basis, consider a combination of the severity of the potential impact on the rights and freedoms of individuals and the likelihood of these occurring.

Related Article

Personal Data Breach Examples

Read it now

3. Obligation to document the breach

Under GDPR Article 33(5), data controllers are required to document any personal data breaches once they become aware of them. This should cover:

  • Facts about the breach,
  • The consequences of the breach,
  • Any action done by the controller to address the breach.

Keep in mind that this documentation rule applies to all breaches, regardless of the potential impact on individuals’ rights and freedoms!

3.1. What is the role of the DPO in case of a breach?

As a general practice, a controller, or processor has the option to appoint a Data Protection Officer (DPO) – this can be a mandatory requirement under Article 37 of the GDPR or done voluntarily. Article 39 outlines some must-do tasks for the DPO, but it doesn’t stop the controller from adding more if needed.

So, when it comes to dealing with breaches, the controller, or processor can bring in their DPO. They can even entrust the DPO with the responsibility of keeping records of data breaches. The European Data Protection Board even suggests keeping the DPO in the loop from the get-go – informing him promptly about breaches and involving him throughout the entire process of managing and notifying breaches.

4. How to prevent data breaches?

When it comes to establishing a strong data breach strategy, one should focus on key elements including robust security tools, a well-thought-out response plan, and a team of well-trained personnel. Ultimately, the organization’s strength relies on its own security practices and the awareness of its employees. Let’s explore some common practices that can help to prevent data breaches.

  • Multi-Factor Authentication (MFA) can enhance security by requiring users to provide multiple forms of identification, reducing the risk of unauthorized access and the likelihood of data breaches by adding complexity for potential attackers.
  • Keeping software & antivirus updated is crucial to prevent data breaches as updates often include security patches that address vulnerabilities that could be exploited or that could cause disruption.
  • Awareness training of employee, can ensures that all employees are informed about the latest security threats, best practices, and preventive measures, reducing the likelihood to fall victim to cyber threats such as phishing.
  • Response plan, in any case, you should always prepare for the worst by creating a comprehensive response plan. By outlining clear procedures and assigning responsibilities, a response plan enhances organizational readiness, mitigates risks, and minimizes the impact of data breaches before they escalate.

Keep in mind that not handling or reporting a data breach appropriately can result in serious consequences! In addition, regulatory bodies, like supervisory authorities under the GDPR, have the authority to impose sanctions in the event of a breach.

Indeed, unmanaged breach may lead to:

  • Financial Penalties: Regulatory bodies can impose fines that can reach up to a maximum of 10 million euros or 2% of the global annual turnover, depending on the severity of the violation, on organizations that fail to comply with breach notification and containment.
  • Reputational Damage: Failing to report or appropriately manage a data breach can seriously harm an organization’s reputation. Notably, loss of customer trust and confidence can have long-lasting effects on the business, and overall brand image!
  • Operational Disruptions: Dealing with the aftermath of an unreported or mismanaged breach can disrupt normal business operations. Indeed, an organization may need to allocate resources to address the breach, implement corrective measures, and comply with regulatory investigations, diverting attention and resources from core business activities.

Be prepared to handle the worst case scenario

Set up a robust incident & breach management practice throughout your organization.

Get started

Conclusion

In conclusion, it’s crucial to recognize the certainty of data breaches and understand that being proactive is just as essential as notifying and responding effectively to breaches. While having an effective plan in place is crucial, actively implementing strong security measures, staying vigilant through continuous monitoring, and educating employees are equally vital. Together, these elements create a strategy that not only strengthens resilience against potential breaches but also works towards preventing and lessening their impact.

Liked reading this article? Spread the word!

Get the inside scoop on simplified privacy management

Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!

Written by

Kevin François

Consultant @ CRANIUM

Connect
Solutions
About us
Useful links
Legal
Connect
Facebook-f Linkedin-in

Copyright © RESPONSUM BV

ISO certification logo
Book a demo