GDPR - data breach handling in 5 steps (2024)

Table of Contents
Who does what, when personal data is breached? How should a personal data breach be handled? Conclusion

In today’s world, data breaches are a reality. No, we don’t want them to happen, but the reality is that these do happen. And, when a data breach involves personal data of EU residents, it comes under the jurisdiction of EU GDPR. This means that there may be a need to notify the Data Protection Authority about the personal data breach within 72 hours of finding the breach. In addition, there can be huge fines and reputational damages associated with personal data breaches. Let us understand how to handle a personal data breach in the context of EU GDPR.

Who does what, when personal data is breached?

  • Staff, usually the security incident management team, should inform the Data Protection Officer (DPO).
  • The DPO of the controller should notify the Data Protection Authority when the risk to the rights and freedoms of data subjects is high.
  • The DPO of the controller may notify data subjects, if the risk to the rights and freedoms of data subjects is high. This should be done with the public relations team within the organisation.
  • The Data Protection Officer of the processor must notify the controller, as stated in the contract. In this case, all personal data breaches need to be reported to the controller, without exception.

Security Awareness Training

A series of 35 free videos that explain the basics of protecting your company assets

See Also
Data Breach Response: A Guide for BusinessData Breaches: Complete Guide to Threats, Tools and TacticsWhat are the 6 Phases in a Cyber Incident Response Plan?Data Breach Response Guide for Organizations

Enroll for free

How should a personal data breach be handled?

In my view, your personal data breach should be handled according to the following steps:

1) Inform your Data Protection Officer: As soon as a personal data breach is identified, the first and foremost task is to inform and involve the DPO in your organisation.

2) Assess scope and impact: Identify the extent of the impact, and the scope of the personal data breach; i.e.:

  • Ascertain that personal data was breached.
  • Estimate the number of data subjects whose personal data was possibly breached.
  • Determine the possible types of personal data that were breached.
  • List security measures that were already in place to prevent the breach from happening.

As personal data breaches are to be reported within 72 hours by the controller, this step should be a high priority, and should focus on providing sufficient information to the DPO for this notification to the Data Protection Authority.

See Also
Assume Breach Assessment - TechCERT

See also: The obligations of controllers towards Data Protection Authorities according to GDPR.

3) Notify the relevant parties: The DPO of your organisation should inform the Data Protection Authority if your organisation is the controller of personal data. If the risk to the rights and freedoms of data subjects is high, the data subjects should also be informed by the DPO of the controller. However, if your organisation is the processor of personal data, the DPO should notify the responsible person stated in your contract with the controller.

The communication should include contact details of the DPO, details of the breach, likely impact, actions already in place, and those being initiated to minimise the impact of the data breach. Also, it is important to mention that further impact is being investigated (if required), and necessary actions to mitigate the impact are being taken.

4) Deep dive, contain and notify: While the DPO is notifying the relevant authorities, it is critical that the incident team continues the deep dive on the following two tracks in parallel:

  • Taking all possible measures to reduce the risk and contain further unauthorised access
  • Continuing to refine the original estimate of the number of data subjects breached and the types of personal data that were breached

As details are being discovered, the DPA or controller may be updated on the current situation.

If the freedoms and rights of data subjects are significantly impacted, the DPO of the controller would need to decide if the data subjects also need to be informed. If so, the public relations or communications team of the company should be involved in this communication.

5) Review and monitor: Once the personal data breach has been contained, the organisation should conduct a review of existing measures in place, and explore the possible ways in which these measures can be strengthened to prevent a similar breach from reoccurring. All such identified measures should be monitored to ensure that the measures are satisfactorily implemented.

And, while you take the above steps, always keep a log of your actions and keep a data breach register.

Conclusion

As personal data breaches can have significant reputational and financial consequences, personal data breaches need to be managed carefully. Do not wait for a personal data breach, but set up a personal data breach process and create templates for notifications now.

To help you decrease the risks of data breaches, try this online Security Awareness Training.

GDPR - data breach handling in 5 steps (2024)
Top Articles
What Is a Paper Trade? Definition, Meaning, and How to Trade
Business spending can be beautifully easy | Spendesk
San Angelo, Texas: eine Oase für Kunstliebhaber
Women's Beauty Parlour Near Me
How do you mix essential oils with carrier oils?
Www Movieswood Com
Lesson 1 Homework 5.5 Answer Key
The Haunted Drury Hotels of San Antonio’s Riverwalk
Xm Tennis Channel
Marion County Wv Tax Maps
Pittsburgh Ultra Advanced Stain And Sealant Color Chart
Hood County Buy Sell And Trade
How To Cut Eelgrass Grounded
Palm Coast Permits Online
Northeastern Nupath
Craigslist Pinellas County Rentals
Why Is 365 Market Troy Mi On My Bank Statement
X-Chromosom: Aufbau und Funktion
Craigslist Lakeville Ma
Morristown Daily Record Obituary
Ivegore Machete Mutolation
Doublelist Paducah Ky
Craigslist Org Appleton Wi
R. Kelly Net Worth 2024: The King Of R&B's Rise And Fall
Plaza Bonita Sycuan Bus Schedule
Getmnapp
Sessional Dates U Of T
The Banshees Of Inisherin Showtimes Near Broadway Metro
Blackboard Login Pjc
Craigslist Ludington Michigan
Garden Grove Classlink
208000 Yen To Usd
Is Henry Dicarlo Leaving Ktla
Unreasonable Zen Riddle Crossword
The Powers Below Drop Rate
Harrison 911 Cad Log
Evil Dead Rise Ending Explained
2004 Honda Odyssey Firing Order
Gt7 Roadster Shop Rampage Engine Swap
What are the 7 Types of Communication with Examples
Chadrad Swap Shop
Missing 2023 Showtimes Near Mjr Southgate
Craigslist Maryland Baltimore
Makemkv Key April 2023
Barrage Enhancement Lost Ark
AsROck Q1900B ITX und Ramverträglichkeit
888-333-4026
Craigslist Free Manhattan
Bunkr Public Albums
Big Reactors Best Coolant
Cch Staffnet
Unit 4 + 2 - Concrete and Clay: The Complete Recordings 1964-1969 - Album Review
Latest Posts
Pros and Cons of Flipping Houses: Is It Really Worth It?
Schneider Auto Body & Paint - How Long Does it Take to Restore a Car?
Article information

Author: Van Hayes

Last Updated:

Views: 6141

Rating: 4.6 / 5 (46 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Van Hayes

Birthday: 1994-06-07

Address: 2004 Kling Rapid, New Destiny, MT 64658-2367

Phone: +512425013758

Job: National Farming Director

Hobby: Reading, Polo, Genealogy, amateur radio, Scouting, Stand-up comedy, Cryptography

Introduction: My name is Van Hayes, I am a thankful, friendly, smiling, calm, powerful, fine, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.