A data breach in the European Union (EU) is defined under the General Data Protection Regulation (GDPR) as a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This can affect the data’s confidentiality (ensuring that it is accessible only to those authorized to access it), integrity (ensuring that it is accurate and complete), or availability (ensuring that it is accessible when needed).
Key Obligations under GDPR in case of a Data Breach:
- Notification to Supervisory Authority: If a data breach occurs, and it is likely to result in a risk to the rights and freedoms of individuals (e.g., risk of identity theft, fraud, financial loss, or damage to reputation), the organization must notify the relevant Data Protection Authority (DPA) without undue delay, and no later than 72 hours after becoming aware of the breach. This notification should include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address it.
- Notification to Data Subjects: If the breach is likely to result in a high risk to the individuals’ rights and freedoms, the organization must also inform the affected individuals without undue delay. This notification should be clear and explain in plain language the nature of the breach and the steps the individuals should take to protect themselves.
- Data Processor’s Obligation: If the organization in question is a data processor (a third-party entity processing data on behalf of another organization), it must notify the data controller (the organization that determines the purpose and means of processing) of the breach. The data controller is then responsible for notifying the DPA and the affected individuals, depending on the severity of the breach.
Examples of Data Breach:
- Textile Company Employee Data Breach:
- Scenario: A textile company’s employee data, including sensitive information such as home addresses, family details, salary information, and medical claims, is inadvertently disclosed.
- Obligations: Since this breach involves sensitive personal data, the company must notify both the DPA and the affected employees. Sensitive data like health information increases the risk to the individuals, making it imperative to inform them directly.
- Hospital Patient Data Breach:
- Scenario: A hospital employee copies patient details, including highly sensitive health information (e.g., details about cancer, pregnancy), onto a CD and publishes them online. The hospital discovers this breach a few days later.
- Obligations: Upon discovery, the hospital has 72 hours to notify the DPA. Due to the sensitivity of the data, the hospital must also inform the affected patients. If the hospital had implemented strong security measures like data encryption, it might argue that the risk to patients is lower, potentially exempting it from the requirement to notify them. However, in this case, the failure to prevent such a breach suggests that appropriate measures might not have been in place, necessitating full disclosure.
- Cloud Service Provider Data Breach:
- Scenario: A cloud service provider loses several hard drives containing personal data belonging to its clients.
- Obligations: The cloud provider must notify its clients immediately. The clients, depending on the sensitivity of the data and the risk posed by the breach, may then need to notify the DPA and the affected individuals. The responsibility to determine the severity of the breach and the need for further notifications lies with the data controllers (the clients), not the cloud service provider.
Preventive Measures:
To mitigate the risk of data breaches, organizations must implement appropriate technical and organizational measures. These might include data encryption, regular security audits, staff training on data protection, access controls, and data minimization strategies. By doing so, they not only reduce the likelihood of a breach but also limit the impact should a breach occur, potentially reducing their obligations under GDPR.
In conclusion, GDPR imposes strict requirements on organizations in the event of a data breach, particularly when sensitive personal data is involved. The regulations ensure that both authorities and individuals are promptly informed so that they can take appropriate measures to protect themselves.