As you may already know, the GDPR introduces an obligation on all organizations to report (under certain circumstances) personal data breaches to the supervisory authority within 72 hours after becoming aware of the breach. In addition, if the breach results in a high risk of adversely affecting individuals’ rights and freedoms, your organization must also inform those individuals without undue delay.
A personal data breach is defined as:
a breach of securityleading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
There are 3 type of breaches:
- Confidentialitybreach: an unauthorized or accidental disclosure of, or access to, personal data (e.g. people are given access to data to which they should not have access to);
- Integritybreach: an unauthorized or accidental alteration of personal data (e.g. someone modifies data without being authorized to do so);
- Availabilitybreach: an accidental or unauthorized loss of access to, or destruction of, personal data (e.g. data is encrypted but the key is lost);
- or a combination thereof.
Organizations may incur very high fines for failure to comply with this obligation. Therefore, make sure that your organization is well prepared for a possible personal data breach.
We provide you with a 10-step checklist to verify whether your organization is well prepared.
As an organization, you need to:
- have technical and organizational security measures in place.
- be able to recognize a personal data breach and you understand that it’s not only about loss or theft of personal data.
- know when your organisation becomes “aware” of a personal data breach.
- have an internal reporting procedure in place and appoint a dedicated person or team for managing breaches.
- have in place a process to assess the likely risk of the personal data breach to individuals.
- have prepared a response plan for addressing any personal data breach that occurs.
- know when to notify the supervisory authority and the individuals concerned.
- know what information you must provide to the supervisory authority and the individuals concerned.
- know who is the relevant supervisory authority for your processing activities.
- know that you need to document all personal data breaches, even if that breach must not be notified.
If your organisation is not able to tick all the boxes or if you have any questions about the implementation of certain boxes or about privacy & data protection in general, you can contact a lawyer of our international law firm Timelex.