Data breach definition and management

In the digital age, the one we are currently living through, the security of personal data has become a key priority for individuals and companies. However, despite advances in data protection, data breaches remain a constant threat.

The definition of a data breach under the GDPR

The GDPR, in Article 4, defines data breach as "a breach of security involving the destruction, loss, modification, unauthorized disclosure of or access to personal data stored or processed." This means that a data breach can be caused by either accidental events or illegal actions, and involves the compromise of personal data.

Examples of data breaches

Data breaches can manifest in a variety of ways, including:

• Access or acquisition of data by unauthorized third parties: This can happen when hackers or malicious parties manage to infiltrate computer systems to gain access to sensitive information.
• Theft or loss of devices containing personal data: The loss or theft of devices such as laptops, smartphones or external hard drives containing sensitive data can be considered a data breach if they are not adequately protected.
• Deliberate alteration of personal data: When personal data is intentionally changed or altered, a data breach occurs that can have significant consequences for the individuals affected.
• Inability to access data due to accidental or external causes: This may occur as a result of technical failures, cyber attacks, or events such as viruses, malware, or human error that prevent access to data.
• Loss or destruction of personal data due to accidents or disasters: Events such as fire, flooding or other disasters may result in the loss or destruction of personal data, representing a significant data breach.
• Unauthorized disclosure of personal data: When personal data is disclosed to third parties without the consent of the data subject, a data breach occurs that can lead to serious privacy consequences.

What to do in the event of a data breach

In the event of a data breach, it is essential to take timely measures to manage the incident and mitigate the damage. The following are significant steps to follow:

• Notification to the Data Protection Supervisor: According to Article 33 of the GDPR, the data controller must notify the Data Protection Supervisor of the incident within 72 hours of becoming aware of it, unless the personal data breach poses a risk to the rights and freedoms of the individuals involved. The notification must include a detailed description of the breach, the categories and approximate number of data subjects involved, and the measures taken or proposed to address the incident.
• Inform Data Subjects: If the data breach poses a high risk to the rights and freedoms of the individuals involved, the data controller must immediately inform data subjects of the incident. This communication must be clear, transparent, and provide relevant information about the nature of the data breach, the potential consequences, and the measures taken to address the situation.
• Data Breach Log: It is mandatory to maintain a detailed log of personal data breaches that have occurred. This log must contain information such as the date and time of the breach, the cause of the incident, measures taken to resolve the breach, and communications made to data subjects and the Supervisor.
• Risk Assessment: It is important to assess the severity of the risk to the rights and freedoms of individuals affected by the data breach. This assessment takes into account several factors, including the nature and sensitivity of the personal data involved, the number of data subjects, the consequences of the incident, and the security measures taken to mitigate the adverse effects.

What is the competent controlling authority?

The competent supervisory authority is the body responsible for the protection of personal data in the specific EU member state where the data breach occurred. According to Article 55 of the GDPR, each supervisory authority is competent to exercise the tasks and powers assigned to it in its member state.

Failure to notify data breach: penalties

The GDPR provides for severe penalties for failure to report a data breach. Administrative penalties can be up to 10 million euros or up to 2 percent of the company's annual turnover, whichever is higher. These penalties are intended to ensure that organizations are committed to adequately protecting personal data and responding promptly to breaches.

Importantly, prevention is the first step in mitigating data breach risks. Organizations must implement robust data security policies, including encryption measures, multi-factor authentication, and limited access to sensitive data. In addition, staff cybersecurity training and awareness of data breach threats are crucial to foster a security culture within the organization. Transparency and open communication are essential to maintain the trust of stakeholders and to demonstrate the organization's commitment to protecting their data.

Finally, supervisory bodies and competent authorities play a crucial role in the supervision and enforcement of data protection laws. They monitor the adequacy of security measures taken by organizations and can impose penalties for noncompliance. Therefore, organizations must maintain an ongoing dialogue with supervisory authorities, report data breaches promptly, and cooperate fully during investigations.

Don't let a data breach put your business at risk! Find out today how we can help you strengthen your defenses and effectively manage any incident.  Visit our Incident Response Team to explore our customized security services​​​​​​​ and start protecting your sensitive data with guidance from our experts or contact us now at sales@vvlab.it.