Personal data breaches: what they are and how to respond

In this blog post we intend to define what a personal data breach is, how an organisation should prepare to respond to one, how to act if one arises and when notification must be given to the AEPD and data subjects.

I. WHAT IS A PERSONAL DATA BREACH?

To be able to respond to a personal data breach, the first thing you have to know is what a personal data breach is and be capable of detecting and identifying one.

A personal data breach is a security incident affecting personal data. This incident may occur accidentally or intentionally and may affect data processed digitally or on paper. It usually involves the destruction, loss, alteration or communication of, or unauthorised access to, personal data.

II. What to do?

Before:  the data controller must be prepared for this possibility and must establish the actions to be taken in the event of a breach. To do this, the first thing is to be conscious of what personal data are processed, what methods are used and what risks there might be. An important element of this is to implement mechanisms that allow us to detect personal data breaches.

If happens: the data controller must implement the plan of action, specifying tasks that allow for the breach to be solved, minimising the consequences and preventing any repeat in the future.

Moreover, when a data breach occurs, certain information must be gathered in order to decide what measures and actions are to be taken to fulfil those objectives and to assess the need to notify the control authority and the data subjects.

  • How the breach occurred and what exactly occurred: a device containing personal data was lost, a theft occurred, personal data were published in error or sent to the wrong recipient, ransomware encrypted a device, an information system with personal data was accessed by unauthorised intrusion, an employee was the victim of a phishing attack, etc.
  • Origin of the breach, internal or external, and whether or not it was intentional.
  • Basic categories of data: basic data such as credentials or contact data or special categories such as health data. 
  • Volume of data affected, both the number of records affected and the number of data subjects affected.
  • Categories of data subjects affected: customers, employees, students, members, patients, etc. It is important to establish whether any of these are vulnerable groups.
  • Information on the timeframe of the breach: when it began, when it was detected and when the security breach was resolved or will be resolved.

III. Notification to the aepd and communication to those affected

In the case of a security breach, the data controller must assess the possible consequences on those affected and its severity. A personal data breach may cause reputational damage to those affected, limit their rights, lead to financial losses, discrimination, etc. and such effects can have varying degrees of severity. Therefore, we must think about the benefits of those affected being aware of the fact they are facing a security breach.

To evaluate this situation effectively, it is important to have the record of processing activities and the risk analysis prepared and updated previously.

If the security breach constitutes a risk to the rights and freedoms of natural persons, the AEPD must be notified within a maximum period of 72 hours of becoming aware of same, using the form available in website.

In any case, along the lines of the accountability and transparency set out in the GDPR, it is always recommended that the data controller notify the AEPD of any personal data security breach affecting them.

To complete the notification form it is helpful to have clear, relevant information on the breach, as detailed above.

If there is a high risk, this must be communicated to those affected, without undue delay, in clear and simple language through the means of contact normally used for communicating with them. This will allow those affected to react as soon as possible and take the appropriate measures, because said communication must clearly explain what occurred and the measures recommended so that they might minimise or eliminate the negative consequences such a breach might have on them.

In the event the breach is suffered by a data processor, they must inform the data controller who must assess whether or not the AEPD and the data subjects affected must be informed. In any case, the details on the responsibilities of the controller and processor in the event of a breach should be expressly stated in the contract or legal bond through which the processing task is assigned.

In any case, regardless of whether the AEPD has been notified or not, or if the data subjects affected have been informed, we should maintain a log of the security breaches suffered, justifying the decisions taken. This document may be requested at any time by the AEPD.

IV. Conclusions

Within the framework established by the GDPR and the LOPD-GDD, a culture of good personal data management on the part of data controllers and data processors is being promoted. On the one hand, this new culture of treating personal data breaches should allow for the impact on the data subjects affected to be minimised, establishing mechanisms to ensure they are aware when data have been affected so they can take measures. On the other hand, it is just as important to analyse security breaches to learn what has failed in our procedures or operations, as it is to resolve them and minimise their consequences for those effected. That’s why it is so important, after a breach, to document it and the response to it in detail over time.

To broaden information on how to act in the event of a security breach and what can be planned in advance, please see the AEPD Guide on personal data breach management and notification.