Since 2016 businesses are obliged (according to the GDPR) to report certain data breaches. But when is a data breach really necessary to report? Find out in this article.
What is a data breach?
We speak of a data breach when personal data falls into the hands of third parties who should not have access to that data. A data breach is the result of a security problem. The most common data breaches are leaked computer files, although a stolen printed customer list can just as easily constitute a data breach.
Other examples: cyber attacks (including DDos), email sent to wrong addresses, stolen laptops and lost USB sticks.
If a company telephone is lost or stolen, it may be a data breach. If a private telephone is lost, there is no data breach.
When to report a data breach?
So, a data breach occured, but what’s next? Do you always have to report it? The answer is no, only when there are really bad consequences for those involved. This can be the case when:
– personal data of a sensitive nature have leaked. E.g. data on religion or belief, race, political persuasion, health, sexual life, trade union membership or criminal data.
– the nature and extent of the breach lead to (a significant likelihood of) serious adverse consequences for the protection of personal data. You may still need to report the data breach if the nature and extent of the breach is such that it leads to (a considerable risk of) serious consequences for the protection of personal data. This will be the case, for example, where a particularly large amount of personal data of large groups of data subjects has leaked.
– In both cases stated above, you have to report the data breach within 72 hours to the DPA. Some data breaches should be reported not only to the National DPA but also to the individuals to whom the data leaked relates. This is the case if the data breach is likely to have an adverse impact on the privacy of the individuals concerned.
Within the Complianz plugin you can find a data breach inventory which will help you decide whether you need to report your data breach or not!