Contents

New EU data protection law: Data breaches

As of 25 May 2018, the General Data Protection Regulation (GDPR) introduces harsh sanctions for data breaches with extended scope of applicability. Companies and other data processing entities become potential subjects not only to the data subjects’ claims for damages, the enforceability of which has been enhanced, but also to increased administrative fines to be imposed by supervisory authorities.

In addition to the above sanctions the entities may also suffer reputational damages resulting from data breaches which will be now subject to mandatory notification. Companies and other data processing entities shall set up an organisation enabling them, where possible, to prevent data breaches and, where it nevertheless occurs, to react to it in an effective and timely manner.

Detecting breaches

At first, entities must be able to detect data breaches. Only who knows that something went wrong, can fix it. For identifying data breaches the training of the staff on a regular basis and the involvement of the Data Protection Officer is inevitable.

Record keeping

The documentation of all data breaches is a legal obligation set forth in the GDPR. The data breaches, its causes and its effects shall be carefully recorded. Such records then makes also transparent which interfaces, processes and measures are effective and which ones must be optimised.

Taking measures

Obviously, detecting and recording alone would not suffice. The competent department, the IT consultant and the Data Protection Officer - if any - must also jointly define the necessary measures. Furthermore, irrespective of a data breach it is advisable to regularly test the security measures for effectiveness and efficiency and to record each testing result.

Assessing the risk

Once the necessary measures have been determined, the risks already occurred to the rights and interests of the affected persons, the extent of risk reduction achievable by the intended measures and the residual risk that remains after the intended measures are adopted, shall be analysed. The risk assessment shall give considerations as to whether the affected personal data allow conclusions on the economic situation, the health, the reliability or the job performance of the affected persons and how many persons are affected.

Notifying the breach

In light of the outcome of the risk assessment, the company decides whether there is a slight, a normal or a high residual risk. The evaluation and the reasoning for the classification of the risks shall be documented. In case of slight residual risks, there is no notification obligation. In the event of normal risks the issue must be escalated to the competent supervisory authority, including information on the nature of the data breach, nature and scope of data and data subjects as well as the identified remaining risks and the measures intended and taken. Then the company must determine the further measures together with the supervisory authority. High risks incidents must be notified both to the supervisory authority and the data subjects. In terms of language, the company needs to ensure that the information provided is transparent and comprehensible.

Entities are encouraged to set up a contingency plan describing the processes and the exact to-dos for the event that a data incident occurs.

Should you have any queries, please do not hesitate to contact one of our offices.