What is a (personal) data breach?
What is the definition of a data breach or, as colloquially called, a data leak? The Data Protection Regulation (hereinafter ‘GDPR’) defines a personal data breach as:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
In other words, a broad definition. For example, depending on the context, a data breach occurs when personal data has been accidentally or unlawfully:
- destroyed (e.g. fire in a data centre);
- lost (e.g. loss of USB stick containing personal data); or
- made accessible (or may have been) by unauthorised persons (e.g. hacker has captured personal data).
Data breach response plan
1 - Are personal data (potentially) involved?
From the moment you are notified of a security or cyber incident, such as a DDoS attack or website hack, it is important to examine the situation. Establish the facts and circumstances and get a clear image of what happened. This information is also crucial for follow-up steps.
A security or cyber incident does not always mean that it is also a personal data breach within the meaning of the GDPR. As already follows from the abovementioned definition, only if the incident involves personal data, there is a 'personal data breach' in a legal sense and thus a data breach. Incidents in which (only) other data has been lost, e.g. technical metadata or company information, do not qualify as personal data breaches. These incidents fall outside of the scope of the GDPR and do not need to be reported under the GDPR. For the sake of completeness, it is however possible that such incidents do need to be reported under other (local) legislation.
2 - Act as soon as possible in the event of a personal data breach
Once you have established that there is a personal data breach within the meaning of the GDPR, it should be determined as soon as possible whether this personal data breach should be reported to the (national) supervisory authority and/or the data subjects. The maximum time limit for this notification is 72 hours after the personal data breach has been established. This notification requires that the nature, cause and extent of the data breach have been established, and the consequences have been identified. Therefore, every effort has to be made.
Depending on the nature and scope of the personal data breach, it may be necessary to form a (multidisciplinary) action team and divide the tasks among the team members. This will ensure that the right people are doing the right things. That team should preferably include people from a variety of disciplines. Think of members of the board, the ICT department, the legal department and the facilities department. Make a clear division of tasks, and keep the lines of communication short.
The GDPR requires companies and organisations to keep a log of all events and actions taken from start to finish. Be very precise, for example: include times for actions and events. Also record all dates and any evidence in the logbook.
3 - Try to fix the data breach
In addition to the actions to be taken under the GDPR, the personal data breach should obviously be remedied as soon as possible. In doing so, engage the relevant IT suppliers and request their full cooperation. The IT supplier can not only remedy the personal data breach, but can also investigate the cause of the data breach and help take other measures to limit damage and adverse consequences for data subjects.
3A - Assess whether you need to report the data breach to the supervisory authority
At the same time as resolving the data breach, you will need to assess whether the data breach should be reported to the supervisory authority. The basic principle is: report, unless it is unlikely that the personal data breach results in a risk to the rights and freedoms of natural persons.
This means that you will have to make a risk assessment: to what extent is the personal data breach likely to impact the privacy of the data subject(s)? In practice, a data breach will quickly qualify as a breach that must be reported to (at least) the supervisory authority.
Note: Even if you are of the opinion that the personal data breach does not need to be reported to the supervisory authority, you need to register the personal data breach in the (legally required) internal personal data breach register.
3B - Assess whether you need to report the data breach to the data subject(s)
If the personal data breach must be reported to the supervisory authority, it must also be determined whether the data subject(s) must be informed as well. Inform the data subject(s) only if the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject(s). When determining the risk level, one looks objectively at the degree of likelihood of the risk materialising and what the impact of the occurrence of the risk will be for the data subjects.
Is the personal data breach likely to cause, for example, discrimination, (identity) fraud leading to financial damage, or disclosure of data that a professional, such as a doctor, should have kept secret? Has credit card data been captured, for instance, or does it involve special personal data such as medical data? If so, a high risk is quickly established and the data subject(s) must therefore be informed about the personal data breach.
4 - Content of the notification to (i) the supervisory authority and (ii) the data subject(s)
The notification of the data breach to the supervisory authority is done via a form on the website of the local supervisory authority, in the Netherlands this is the Dutch Data Protection Authority ("Autoriteit Persoonsgegevens").
This notification contains at least the following information:
- A description of the data breach;
- Name and contact details of a contact person (if present, this is the Data Protection Officer);
- Which categories of data subjects are involved in the data breach (children, customers, employees, etc.);
- What categories of personal data records are involved in the data breach (health, education, financial data, etc.);
- The likely consequences of the data breach;
- The measures proposed or taken to remedy the data breach or mitigate its consequences.
In principle, you notify the data subjects directly. Often, this is easiest to do by e-mail or letter. The main purpose of notifying the data subjects is to enable them to take their own precautionary measures to minimise the possible negative consequences as much as possible. Also, give the data subjects practical tips for this in the notification, such as (depending on the situation) changing passwords.
The communication to the data subject(s) contains almost the same information as the notification to the supervisory authority, such as the measures proposed or taken to remedy the data breach or mitigate its consequences. It is wise to keep the communication clear and compact.
5 - Define a communication strategy
Once a notification has been made to data subjects, they most likely will contact you with questions or comments. In the case of a major personal data breach, the press may also get in touch with you. Depending on the nature and extent of the data breach, it is therefore wise to draw up a communication strategy.
- Determine through which channels those involved can be contacted, such as by phone, e-mail or chat;
- Agree which persons and/or departments will speak to the press and what information will be provided to the press. Also decide which persons and/or departments will speak to those involved;
- Make sure you have sufficient capacity for communication;
- Check whether you have sufficient staff and involve a call centre if necessary.
By informing any media and those involved in a correct and appropriate way, you prevent panic and stay in control. This also reduces the risk of damage claims by those involved.
6 - Prepare for future (legal) consequences
The supervisory authority may contact you as a result of reporting the personal data breach. For example, it may request more information, determine that the data subjects shall need to be informed about the personal data breach or launch a (short-term) investigation. Data subjects can also formally turn to you to try to recover the damage they suffered.
It is therefore recommended to make a legal analysis of the situation for each data breach and prepare for an investigation by the supervisory authority or a claim from a data subject.
Questions regarding this data breach response plan?
This article outlines when there is a personal data breach and provides a high level step-by-step plan of how to act in the event of a personal data breach. However, every personal data breach is different. The approach to a huge personal data leak you see in the news, such as the Cambridge Analytica scandal or the hack on LinkedIn, obviously differs from a lost USB stick containing the phone numbers of 30 employees.
Are you in doubt about whether you have a personal data breach? Or do you need a helping hand in taking measures, making a notification to the supervisory authority or data subjects, or determining the legal consequences? Our Privacy and Cybersecurity Team is ready to provide First Aid for Data Breaches.