Help. A data breach, now what? Whether you work a lot or little with personal data, a data breach can be a real nightmare for you as an entrepreneur if you are not properly prepared. In this blog we will discuss what is expected of you when a data breach occurs, and what the Belgian Data Protection Auhthority will assess.
But first, a data breach. What is that anyway?
The GDPR does not use the term data breach. It does refer to a breach in connection with personal data. And this definition immediately shows that it is about much more than the word data breach suggests. After all, it is about the unauthorised disclosure or access to personal data. But also about the destruction, loss, or change of such data. And all this is a consequence of a security breach.
A breach is not the same as burglary
This “breach of security” also goes much further than what you would suspect at first sight. It is not only about a computer burglary, but actually about any action or method that is unlawful, i.e. that was not intended to take place. And regardless of whether this was intentional or unintentional.
Big or small, a data breach is a data breach
It may well be that the data breach is so insignificant that hardly any damage occurs. However, the fact that there is hardly any damage does not mean that you can pretend otherwise. In any case, as the person responsible for processing, you must limit the damage as much as possible.
Three scenarios for a data breach
- Data has been disclosed or someone has gained access to data while this was not intended;
- Data has been modified in an unauthorised way;
- Data availability has been affected because data has been lost, destroyed or access blocked.
How can this happen? Some examples from a daily practice:
Has someone deliberately blocked access to your computer, program, or files using malicious code? Then you are the victim of aransomware attack. You will then no longer have access to certain data. Such an attack can cause serious trouble, both for those involved and for the operation of your business. The damage will be limited if the files and personal data are recovered quickly and easily. However, the risks increase to the extent that the hacker succeeds in extracting and storing the data himself.
A thief steals laptops or paper documents containing personal data? Less technical, but also a data breach.
Wrong or unintended addressee
It sometimes happens that someone accidentally sends information to the wrong addresses or sends the wrong attachment. If this involves personal data, you have a data breach.
Loss of a USB stick
For the slobs. If a USB stick is lost, you may have lost data permanently, or (sensitive) personal data may end up in the wrong hands. An accidental data breach, but one with potentially major consequences.
A data breach. What do I do now?
When a data breach comes to light, the Belgian Data Protection Authority will study the actions you have taken and take sanctions if they turn out to be inadequate. Especially if you are the data controller! For the authority, prevention is at least as important as cure. Our step-by-step plan reflects the elements that the Belgian Data Protection Authority (GBA) will primarily focus on in its assessment.
Step 1 Better safe than sorry
Whether a data breach occurs intentionally or accidentally, the data controller is expected to take an appropriate approach in any case. After all, as the person responsible for processing, you are responsible for the integrity and confidentiality of the personal data. This means that you have to ensure that the information you have is sufficiently secure.
How do you do this? By taking appropriate preventive measures, both to prevent data breaches and to limit the negative consequences for data subjects:
- Regularly evaluate the data protection risks, both for your company and those involved;
- Be prepared for possible data breaches by providing a plan so that when they happen it is clear what steps need to be taken by whom;
- Train your staff sufficiently and make them aware of the data breach policy so that they know how to avoid, detect and deal with a data breach. In technical terms, this is called providing a SETA program (security, education, training, and awareness). Repeat such training in time. How often depends on the type and extent of the processing activities in the organisation;
- Secure data via encryption, possibly pseudonymisation and if possible even anonymisation;
- Implement appropriate and effective anti-malware software;
- Ensure that all programs and operating systems used are kept up-to-date;
- – Systematically provide proper and regular backups. These will considerably limit the consequences of a data breach.
Step 2: Report the breach to the Belgian Data Protection Authority (GBA)
In principle, you are obliged to report the data breach to the GBA within 72 hours, unless it is unlikely that the breach will pose a risk to the rights and freedoms of the data subjects.
So you have to do a risk assessment and you need to do that at the moment you become aware of the data breach. To evaluate the risks to data subjects, ask yourself these questions:
- What is the nature of the breach?
- Does the data breach involve sensitive data?
- How much personal data is involved?
- How many data subjects/affected persons were affected?
- How serious could the adverse effects on data subjects be?
In case of doubt, it is best to inform the authority. What if you classify the risk as unlikely and therefore do not inform the GBA? And then the risk materialises anyway? Then the failure to notify will be to your disadvantage and the GBA may well sanction you for this.
Step 3: Report the breach to the data subjects
You will only be required to report the breach to data subjects if the data breach is likely to pose a high risk to their rights and freedoms.
Step 4: Investigate and document the breach
As a data controller, you must document a data breach in a register.
You must do this for every data breach, regardless of the possible risks. This internal documentation obligation is related to the accountability principle of the data controller. Remember: you will always have to be able to demonstrate formally, by way of documents, that you comply with the GDPR obligations.
What information should you include? The actual circumstances of the data breach (“What exactly does the data breach consist of?“), the adverse consequences of the data breach and the measures you have taken to limit those consequences.
Examples of adverse consequences:
- the business operations are on hold
- data subjects may receive unsolicited direct marketing or be subject to phishing because their personal data has been leaked;
- data subjects may possibly become the victim of identity fraud;
It is clear that a data breach is a heavy burden for the data controller. It is therefore important that the company is prepared for this as well as possible, so that unnecessary improvisations are not necessary.
Invest in the appropriate measures to prevent data breaches and ensure that there is a clearly step-by-step plan and procedure if it does occur, and document all your decisions. consider and weigh, and document all your decisions.
Do you need guidance, preventively or after an incident? Contact our specialists at firstname.lastname@example.org.
Written by Larissa De Keyser, Trainee theJurists, and Kris Seyen, Partner theJurists