Reporting a data breach - a guide for companies

Data breach? 72 hours to report!

In articles about the General Data Protection Regulation (GDPR), the word 'fine' seems to appear in every other sentence, regardless of what the article is about. When a company then discovers that a data breach has occurred, the first thing that employees and management fear is the imposition of a fine. At this point, we would like to reassure you that a data breach does not necessarily result in a fine.

However, in the event of a data breach, a rapid and structured response is required. Ideally, therefore, you should familiarise yourself with the necessary measures and correct behaviour before a data protection incident occurs. This includes, in particular, careful clarification and documentation of the data protection incident, as well as compliance with the obligation to report the data protection incident to the competent authority and, if applicable, to the data subjects.

What measures should be taken in the event of a data protection incident? Find out how best to prepare for a data incident and take the necessary steps. Below you will find information on how best to proceed and when to report an incident.

First, the most important information:
You have 72 hours from the time you become aware of a data breach to report it!

What are examples of data breaches and how do they occur?

The basic requirement for reporting is, of course, the existence of a data protection incident. In abstract terms, a data incident is any event in which the confidentiality of personal data has been breached. It can be caused by intentional or unintentional actions of internal or external persons. In general, it includes unauthorised access, unauthorised use, unauthorised disclosure, unauthorised loss or unauthorised destruction of personal data. It does not matter whether a third party has obtained knowledge of the data or whether there is fault involved.

For better understanding, some examples of data breaches are listed below:

• Illegal disclosure (e.g. sending an email to the wrong recipient),
• Loss or theft of storage media or documents containing personal information,
• Data breaches/leaks (e.g. software bugs, hacker attacks on the IT system)
• Accidental alteration or inadvertent deletion of personal data.

How does the reporting process work in the event of a data breach and who are the parties involved?

As mentioned above, a data protection incident must be reported to the competent supervisory authority within 72 hours of becoming aware of it. The controller becomes aware of the data protection incident, for example, through a report from an employee or a processor. If, after a preliminary assessment, it cannot be ruled out from the outset that personal data has been affected, management, the Data Protection Officer and the internal IT department must be informed. The following (rough) procedure should therefore always be followed:

• Gather all the key details of the incident (What happened? When did it happen? Which department is involved? Is personal data involved? Who is affected? etc.)
• Report the incident to the Data Protection Coordinator
• Data Protection Coordinator: notes the time of the data protection incident and immediately informs the IT department, management and, if applicable, the Data Protection Officer.
• IT department: initiates security measures as soon as possible (appropriate measures to defend/secure the data)
• Data Protection Officer: reviews the incident from a data protection perspective and assesses whether the incident needs to be reported.
• Management: Makes the final decision as to whether the incident should be reported.
• Notification of the incident to the relevant data protection authority and the data subject(s)

What are the roles of the parties involved in a data incident and what are their responsibilities?

In this process, the Data Protection Coordinator is responsible for coordinating and informing the parties involved. The legal review of the incident and the direction of specific actions is the responsibility of the Data Protection Officer, in consultation with the Legal Department if necessary. Management leads the crisis team, supports the investigation, monitors the data protection review and ultimately decides whether a report should be made. The IT department is responsible for quickly checking the technical systems and, if necessary, ensuring that the affected systems are backed up.

When must a data protection incident be notified to the supervisory authority (Article 33 GDPR) and what information must be provided?

Once all the information on the incident has been collected, a report must be made to the competent supervisory authority if there is a risk to the personal rights and freedoms of natural persons. This is always the case if the data subject is likely to suffer physical, material or non-material damage.

Typical examples of such damage are loss of control over personal data, identity theft or fraud, or loss of confidentiality of data subject to professional secrecy. It does not have to be serious. The existence of a risk is determined on the basis of a risk assessment. The risk assessment shall consider, inter alia, the following aspects

• Type of data concerned: sensitive data (e.g. health data) must be considered to be at high risk,
• the level of confidentiality of the data
• the nature of the attack on the data,
• Potential for misuse,
• Possibilities for mitigation.

What are the minimum requirements for reporting a data protection incident to the supervisory authority?

If there is a risk and a notification must be made to the supervisory authority, the notification must meet certain minimum requirements (see Section 33 (3) GDPR). It must include the name and contact details of the DPO, the nature of the breach and details of the category of data and approximate number of records and individuals affected, a description of the likely consequences of the breach and the measures taken and proposed by the company to remedy the breach.

What if you are unsure whether a data breach needs to be reported?

Even in cases of doubt, i.e. if you are not sure whether there is a risk to the rights and freedoms of data subjects or if you are not able to carry out a comprehensive risk assessment, the incident should still be reported to the competent supervisory authority as a precaution.

How to document correctly if there is no risk of a data breach?

If the assessment shows that there is no risk, a notification can usually be omitted. However, even in this case, it is essential to document the relevant facts and the resulting assessment of the facts (Article 33(5) GDPR). This is because the data controller is obliged to prove that it has made a correct decision with regard to the notification obligation.

Does the data subject have to be informed in the event of a data protection incident (Art. 34 GDPR) and in which cases is notification required?

It is also necessary to consider whether the data subject must be informed. The data subject is the person whose data has been unlawfully obtained by a third party, for example through theft or hacking. However, notification is not always required. The requirements are higher than those for notifying the supervisory authority: It is only mandatory if there is a high risk to the personal rights and freedoms of the data subject. Whether such a high risk exists will also be determined on the basis of a risk assessment.

Which data breaches require reporting?

• Damage to reputation,
• Identity theft and fraud,
• Financial loss,
• Discrimination.

These examples represent a high risk, which means that a notification obligation must be assumed. Where a notification is required, it must be drafted in terms that are as comprehensible as possible to a layperson and, similar to the notification to the supervisory authority, must contain some minimum information, including the name and contact details of the DPO, a description of the nature of the breach, the likely consequences of a breach, and the measures taken and proposed by the controller.

When is there no obligation to report a data breach?

• If appropriate technical and organisational measures have been taken to prevent any detriment to the data subjects,
• reporting would involve disproportionate effort. In this case, a public announcement or comparable measure is required instead,
• reporting would disclose information that must be kept secret due to the overriding interest of a third party.

What are the key steps in reporting a data breach and how can external privacy experts help?

Handle a data incident carefully and in accordance with the law. This will show both the supervisory authority and the data subjects that you are handling the situation responsibly and diligently. You should not waste any time and comply with the formal and substantive requirements for notification. Even if the data protection incident was provoked by a failure to comply with legal requirements or technical standards, it is now tactically prudent to adhere strictly to the rules and to carefully clarify and document the data protection incident.

How should data breaches be reported? Key steps and timelines at a glance:

• Careful internal investigation of the incident
• Coordinated and structured division of labour between legal, DPO, IT and management - everyone needs to know their role!
• Weigh up the risk:
  • Low risk - notify only the supervisory authority
  • High risk - notify data subject and supervisory authority
• Comply with formal notification requirements!
• Do not exceed 72 hours for notifying the authority! If this deadline is exceeded, you must give reasons for exceeding the deadline.
• Document all data protection incidents and the risk assessment. Even if no notification is made to the authorities!

How can an external DPO assist in the event of a data protection incident?

The DPO has a particularly important role to play when a data protection incident has occurred. Among other things, he or she has the important task of reviewing the incident from a data protection perspective. ISiCO can act as an external data protection officer for your company and support you in dealing with data protection incidents or even prevent them from occurring in the first place by implementing the GDPR requirements in a targeted manner. Our legal and IT experts can also prepare your internal data protection officers for their tasks through DPO training courses or train your employees in dealing with data protection incidents. Put your trust in us and our data protection expertise!