Among the new disciplines, introduced by GDPR, the one about the data breach is seemingly the least of the problem. Unlike DPIA and DPO, rated as discussed topics, Data Breach seems to be a clear point. In fact, there aren’t dispute on this topic. Also, WP250 Guidelines (adopted by the WP29 on 10/3/2017) explain and detail but add little.
Probably the scenario is not as clear as it seems to be. We have to begin with the name of this subject:”Notification of a personal data breach to the supervisory authority”. The content of the article 33, indeed, from the first paragraph, is about: the controller’s duty of notification of the data breach to the Supervisory Authority, the processor’s duty to inform the Controller, the content of the notification and how to give information and document about the data breaches. There’s also article 34, about “Communication of a personal data breach to the data subject”. There are no provisions about technical or organizational measures to adopt in order to prevent, find and manage the breaches, instead.
Don’t forget about the spirit of the whole Regulation, that is to show principles and let the Controller decide the right way to comply with GDPR principles. So, may we suppose that, in this way, the lawmaker means “there’s nothing to do in order to prevent or fight the data breaches; when they come, the controller has to notify me”? Clearly not, in effect articles 33 and 34 ( included in Section 2 of GDPR about Personal Data Security), are preceded from article 32 that requires for controller and processor to adopt “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”.
We also have to take into account the context in which Controller will edit and send the notification to the Authority. Of course, it will be sent in a crisis mode, due to two different reasons:
1)if a security breach has occurred, it is necessary to act quickly;
2) GDPR requires to send notification within 72 hours from the breach
In this situation, Controller shall decide between two different options: being concerned about, only in case of a data breach, and improvise on the spot about procedures and responsibilities, or plan, in advance, role and procedures.
So, you can imagine the reason why is right to adopt in advance some measures. Let’s see which solutions:
| Scope | Description |
| Roles and Responsibilities |
|
| Organisational Measures |
|
| Prevention of data breaches |
|
| Consequences prevention |
|
| Detection of violation |
|
Among all organizational measures that shall be planned in a good procedure, it’s particularly significant the “Risk Classification”; it is not the usual academic mapping, and it has, instead, practical implications on the breach management (and on its notification).
LACK OF RISK: Notification is not mandatory when the absolute lack of risk can be demonstrated.
EXISTING RISK: In case of existing risks for data subjects rights, as result of a breach, the notification to the authority is mandatory.
The main risks for data subjects rights, due to a violation may be:
– physical damages, material or not to people;
– loss of control on personal data;
– identity theft or fraud;
– financial loss, economic and social damage;
– unauthorized decryption of pseudonymization;
– damage to reputation;
– loss of confidentiality on personal data protected by professional secrecy ( health and judicial data).
HIGH RISK: in the presence of high risks, notification to data subject is mandatory. When data controller adopts data cryptography systems, and the violation is not on one of the decryption keys, notification to data subjects will not be mandatory.
The risks for data subject should be considered “high” when the violation is, e.g., able to:
– involve a great number of personal data and/or data subject;
– concern particular categories of personal data;
– include particular types of data that may increase potential risk (e.g. localization, financial, and habits data);
– cause imminent and possible threat (e.g. financial loss in case of credit card data theft);
– impact on weak parties because of their personal status (patients, children, and suspected people).
It’s clear that a prior risk ranking on each data processing will be a great help, in case of violation, in order to take the best decision in time.
Let’s see what are the best way to manage a data breach.
The protocol to be followed, in case of breaches, could be divided into 5 steps:
1. detection of the breaches;
2. management and rating of the breaches;
3. notification to the authority;
4. (possible) notification to the data subjects;
5. record of the breaches.
From the graphic, you can see that notification is only one of the steps, in case of breaches, and it is closely linked to its previous and following steps.
And the chance to keep on schedule step n. 3B is closely linked to the timeliness of steps n. 2B and 3A; All the steps, finally, depends on the existing procedure and on other preventive measures adopted (included learning project).