A data breach or a data leak occurs when the data for which your company/organization is responsible suffers a security incident resulting in a breach of confidentiality, availability, or integrity. If that occurs, and the breach likely poses a risk to an individual’s rights and freedoms, your company/organization has to notify the supervisory authority without undue delay. If the data breach poses a high risk to those individuals affected, then (under most jurisdictions) they should all also be informed unless there are effective technical and organizational protection measures that have been put in place or other measures that ensure that the risk is no longer likely to materialize.
In Complianz, our wizard helps you to decide if you should notify the supervisory authority and those individuals affected. It also creates a document you can use for the notification.
What is a data breach?
We speak of a data breach when personal data falls into the hands of malicious third parties (such as hackers) who should not have access to that data. A data breach is the result of a security problem. We speak of a data leak in the case of unauthorized transmission of information from inside an organization to an external recipient.
The most common data breaches/leaks are leaked computer files, although a stolen printed customer list can just as easily constitute a data breach.
Other examples: cyber attacks (including DDoS), emails sent to wrong addresses, stolen laptops, and lost USB sticks.
When to report a data breach or data leak?
So, a data breach or data leak occurred, but what’s next? Do you always have to report it to the supervisory authority or those involved?
This all depends on the local privacy law and, in most cases, the consequences for those involved. Reporting to those involved can be the case when:
– personal data of a sensitive nature have leaked. E.g., data on religion or belief, race, political persuasion, health, sexual life, trade union membership, or criminal data.
– the nature and extent of the breach lead to (a significant likelihood of) serious adverse consequences for protecting personal data. You may still need to report the data breach if the nature and extent of the breach are such that it leads to (a considerable risk of) serious consequences for protecting personal data. This will be the case, for example, where a substantial amount of personal data of large groups of data subjects has leaked.
Within the Complianz plugin, you can find a data breach inventory that will help you decide whether you need to report your data breach or not!