Data Breach, not just “notification”

By | Monday November 13th, 2017

Among the new disciplines, introduced by GDPR, the one about the data breach is seemingly the least of the problem. Unlike DPIA and DPO, rated as discussed topics, Data Breach seems to be a clear point. In fact, there aren’t dispute on this topic. Also, WP250 Guidelines (adopted by the WP29 on 10/3/2017) explain and detail but add little.

Probably the scenario is not as clear as it seems to be. We have to begin with the name of this subject:”Notification of a personal data breach to the supervisory authority”. The content of the article 33, indeed, from the first paragraph, is about: the controller’s duty of notification of the data breach to the Supervisory Authority, the processor’s duty to inform the Controller, the content of the notification and how to give information and document about the data breaches. There’s also article 34, about “Communication of a personal data breach to the data subject”. There are no provisions about technical or organizational measures to adopt in order to prevent, find and manage the breaches, instead.

Don’t forget about the spirit of the whole Regulation, that is to show principles and let the Controller decide the right way to comply with GDPR principles. So, may we suppose that, in this way, the lawmaker means “there’s nothing to do in order to prevent or fight the data breaches; when they come, the controller has to notify me”? Clearly not, in effect articles 33 and 34 ( included in Section 2 of GDPR about Personal Data Security), are preceded from article 32 that requires for controller and processor to adopt “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”.

We also have to take into account the context in which Controller will edit and send the notification to the Authority. Of course, it will be sent in a crisis mode, due to two different reasons:

1)if a security breach has occurred, it is necessary to act quickly;

2) GDPR requires to send notification within 72 hours from the breach
In this situation, Controller shall decide between two different options: being concerned about, only in case of a data breach, and improvise on the spot about procedures and responsibilities, or plan, in advance, role and procedures.
So, you can imagine the reason why is right to adopt in advance some measures. Let’s see which solutions:

Scope Description
Roles and Responsibilities
  • choose a qualified Data Protection Officer to consider any consequences on data subjects rights and manage the data breach notification.
  • choose a qualified IT Officer to prevent and manage breaches.
  • learning plan for processor
Organisational Measures
  • plan and write a procedure/regulation
  • define risk level about each type of data processing in the event of a data breach
  • verify contractual restrictions with customers
  • provide contractual restrictions with providers that process personal data.
Prevention of data breaches
  • besides security systems already existing, consider the adoption of breaches prevention systems.
Consequences prevention
  • consider the adoption of prevention systems for data subjects rights (e.g. cryptography)
Detection of violation
  • define the violation report trigger event and adopt appropriate measures to detect it.

Among all organizational measures that shall be planned in a good procedure, it’s particularly significant the “Risk Classification”; it is not the usual academic mapping, and it has, instead, practical implications on the breach management (and on its notification).

LACK OF RISK: Notification is not mandatory when the absolute lack of risk can be demonstrated.

EXISTING RISK: In case of existing risks for data subjects rights, as result of a breach, the notification to the authority is mandatory.
The main risks for data subjects rights, due to a violation may be:
– physical damages, material or not to people;
– loss of control on personal data;
– identity theft or fraud;
– financial loss, economic and social damage;
– unauthorized decryption of pseudonymization;
– damage to reputation;
– loss of confidentiality on personal data protected by professional secrecy ( health and judicial data).

HIGH RISK: in the presence of high risks, notification to data subject is mandatory. When data controller adopts data cryptography systems, and the violation is not on one of the decryption keys, notification to data subjects will not be mandatory.

The risks for data subject should be considered “high” when the violation is, e.g., able to:
– involve a great number of personal data and/or data subject;
– concern particular categories of personal data;
– include particular types of data that may increase potential risk (e.g. localization, financial, and habits data);
– cause imminent and possible threat (e.g. financial loss in case of credit card data theft);
– impact on weak parties because of their personal status (patients, children, and suspected people).

It’s clear that a prior risk ranking on each data processing will be a great help, in case of violation, in order to take the best decision in time.
Let’s see what are the best way to manage a data breach.
The protocol to be followed, in case of breaches, could be divided into 5 steps:
1.  detection of the breaches;
2. management and rating of the breaches;
3. notification to the authority;
4. (possible) notification to the data subjects;
5. record of the breaches.


From the graphic, you can see that notification is only one of the steps, in case of breaches, and it is closely linked to its previous and following steps.
And the chance to keep on schedule step n. 3B is closely linked to the timeliness of steps n. 2B and 3A; All the steps, finally, depends on the existing procedure and on other preventive measures adopted (included learning project).

Category: Data Breach Tags:

About paolo calvi

Data Protection Consultant at Partners4Innovation - P4I. Formerly Data Protection Specialist (within Mediaset Group IT department) and freelance Privacy Consultant. TÜV CDP certification owner as "Privacy Officer".

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.