Despite all security measures, a data breach can occur within a company. In such cases, a swift and correct response is essential. Failure to comply with data protection legislation carries the risk of heavy penalties (Article 83(4),(5) GDPR, § 42 BDSG new version), and all affected individuals also have the right to compensation for damages.
Examples of Data Breaches
- Hacking
- Break-in with theft of data
- Ransomware infection
- A system failure
- The intentional or unintentional alteration of data
- The inadvertent deletion of data
- The deletion of data by an unauthorised person
- The loss of a mobile storage device (mobile phone, USB stick, tablet, etc.)
- The loss of documents containing personal data during postal delivery
- The loss of a decryption key
- The unauthorised disclosure of data
- The accidental transmission of data to the wrong recipient
Measures in the Event of Data Breaches
-
Ensure that your employees are trained to handle data breaches. It should be clear to your staff that in the event of a data breach, prompt escalation of the incident is necessary. Employees often react with delay because they fear consequences for their own conduct. Make sure your employees understand that data breaches frequently occur through no fault of anyone, and that swift action can prevent a great deal of harm.
-
If your company has a data protection officer, inform them immediately.
-
Where a data breach poses a risk to the rights and freedoms of natural persons, the competent data protection supervisory authority must be notified without undue delay (where possible, within 72 hours). The deadline begins upon the identification of the data breach. This task should be assumed by the data protection officer or the management. This obligation applies regardless of whether the data breach was caused by negligence or was unintentional. There are no exceptions to this reporting obligation, for example for small businesses. A late notification must be accompanied by reasons for the delay. The longer the deadline has been exceeded, the more detailed your explanation should be. The authorities provide forms on their websites that ask for the necessary information about the data breach. Information may, in accordance with Art. 33(4) GDPR, be provided in stages where this is not otherwise possible. The principle is: speed over completeness. Whenever relevant new information comes to light, you must submit a follow-up notification within 72 hours, referring to any previous notifications. In the case of deliberate attacks, you should consider involving law enforcement.
-
All affected individuals who face a high risk to their rights and freedoms as a result of the data breach must be informed, but only once the data protection authority has given its consent. This rule gives the authorities the opportunity to investigate a hacking attack before it becomes public. The notification must be written in clear, plain language and be sufficiently well-structured that the content can be grasped immediately. Using the notification sent to the supervisory authority for this purpose is therefore not appropriate. The communication must include the name and contact details of the data protection officer or another point of contact, the nature of the data breach, a description of the likely consequences of the breach, possible self-protective measures available to the affected person, and information on the measures taken by the company. Where the effort involved in giving notice is disproportionate, a public announcement may be made instead. This would be the case, for example, where no contact details are available, where only outdated contact details exist, or where the number of those affected cannot be determined. If you are considering a public announcement, you should take into account the impact on the company’s image.
-
In the case of processing carried out on behalf of another party (contract processing), the processor is obliged to support the controller. The processor is not required to notify the authorities or affected individuals. Where applicable, you may wish to specify the support obligation in the data processing agreement with regard to the information to be provided, the scope of the protective measures, the allocation of costs incurred, and so on.
-
Keep careful records of your experience in dealing with previous data breaches in order to meet your documentation obligations. This will also help you to identify which measures are necessary, sensible, and effective in responding to an active data breach.
