April 2022 – The most fundamental factor in the successful protection of personal data is data security. Without an adequate level of data security, it is impossible to create the conditions under which the processing of personal data can be carried out responsibly. One of the most important provisions of the European General Data Protection Regulation (2016/679/EU – abbreviated as GDPR) is the requirement that the data controller and the data processor ensure a level of data security that is proportional to the level of risk involved.
And the reason for this is simple: preventing a personal data breach. A personal data breach is the most dangerous situation from a data protection point of view, as not only does it presuppose an infringement, but the circumstances of its occurrence are uncertain: the date of discovery, the date of rectification, the number of persons involved, the amount of personal data involved, etc. For these reasons, there is no doubt that data protection law and the data controllers themselves should give priority to prevention.
However, in a data protection culture, dealing with personal data breaches still does not receive the attention it deserves. Incident management is often reduced to the organizational and technical regulations for data security and the administrative tasks required in connection with incident management, even for the most efficient data controllers.
Considering that the number of reported personal data breaches is increasing in a trend-like manner (the number of data incident reports increased by 8% in the EU from 2020 to 2021, while in Hungary, according to the most recent 2020 report published by the National Authority for Data Protection and Freedom of Information (NAIH), more, as one and a half times as many incident reports as a year earlier), it can be assumed that the personal data breach will become an increasingly important topic in the world of data processing. This is despite the fact that the “home office” working methods that have been forcibly introduced in the corporate sector over the past two years have led to a noticeable decline in data security.
In the following article, we have summarized all the information that is necessary for someone to understand the phenomenon, regulation and handling of data management incidents.
Types of personal data breach
According to the GDPR, a “personal data breach” is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise handled”.
The data controller is aided in the effective detection and management of personal data breaches by the typology of personal data breaches. Personal data breaches are currently divided into two types of category systems according to the recommendations published in connection with the GDPR.
The first EU-level recommendation on personal data breaches ("Guidelines on Personal data breach notification under Regulation 2016/679") classified incidents into three categories: (a) "confidentiality breach", which is the unauthorized or accidental disclosure or access to personal data, (b) "integrity breach " means unauthorized or accidental alteration of personal data; and (c) “availability breach”, which means the accidental or unauthorized loss of access to destruction of personal data.
In contrast, the second EU-level Recommendation on Personal data breaches (Recommendation 1/2021 on the Reporting of Personal data breaches) divided personal data breaches into the following sets based on the typologies used in the field of data security: Ransomware, data exfiltration attacks, internal human risk source, lost or stolen devices or paper documents, mispostal.
As we wrote, the importance of typologies lies in the fact that they help the data controller to decide whether a particular security incident is a personal data breach or whether it is subject to an exception that does not require it to be reported or communicated to the data subjects. Of course, typologies also help us to track the evolution of personal data breaches, decide which type of incident to allocate more resources to, and so on.
The importance of effective data breach management
With the increasing incidence of personal data breaches, awareness of it has also begun to emerge and then evolve over the past few decades. The European General Data Protection Regulation (GDPR) has given a strong impetus to this process by imposing important related obligations on data controllers and severely sanctioning non-compliance. However, one might stull uncover significant compliance gaps concerning personal data breaches, so in this article we have collected the most common arguments in favor of effective incident management in two sets.
Undoubtedly, the strongest argument is damage prevention. Potential damage can occur in a number of ways. If the incident concerns the data of the data controller's users, customers, clients or partners, reducing the impact of the personal data breach is paramount, as the data controller may lose all confidence in it and thus its source of revenue. Closely related to this is the risk of reputational damage. In addition to the data manager’s customer portfolio, its most valuable asset is its reputation in the market, which cannot be recouped overnight. Of course, a personal data breach can cause direct damage to the data controller, which typically occurs in the form of data loss, system outages or failures, but it also includes costs that can be linked to incidents in any form, as a small part of this is due to distracted attention. A serious personal data breach often consumes the full workforce of the data controller, depriving the resource of revenue-generating activities. Finally, the possibility of a fine imposed by the data protection authority should also be considered, if the data controller is not prepared for data breach management, he can expect a heavy administrative fine.
The second group of arguments are grouped around effective data breach management. A well-regulated and trained organization has the ability to take effective action quickly, and speed is always a key factor in a privacy incident, depending on the length of a possible outage, the time it takes to close a vulnerability, or just the ability to deliver on time. The data controller's information and notification obligations under the GDPR.
Finally, such a situation also provides an opportunity for the data controller to strengthen its relationship with its users (customers, buyers, etc.) by communicating in a meaningful way, ensuring adequate transparency and describing precisely the steps it has taken to deal with the crisis.
Adequate data breach management is in the interest of all data controllers, yet statistics show that data controllers are not adequately prepared for data protection incidents, although as we can see there are strong arguments in favor of the necessary preparedness.
Challenges of technology-neutral regulation
The regulation of the GDPR is technologically neutral, i.e. its regulations do not apply to a specific technology, but are general and applicable to any technology. This is necessary on the one hand because this solution reduces the risk of circumvention of specific rules, but on the other hand it imposes more tasks on the data controller, as technology-neutral regulation is necessarily more abstract and general than regulation for a specific technology.
This generality carries the risk of major non-compliances, as it is often unclear whether the solution chosen by the controller in a given situation actually meets the legislative / regulatory requirements. As a result, compliance is more costly, as high compliance risk can be effectively reduced if the professional in charge of it is highly trained and has relevant experience.
We should note that the regulation of the GDPR is not completely technologically neutral, as the data security requirements of the GDPR (Article 32 (1)) also impose specific measures (e.g. pseudonymisation, encryption, backups).
The other side of technology neutrality is that such regulation can be applied to all technologies, which in our case is doubtful e.g. in blockchain-based technologies, where the problem of exercising the data subjects' rights is not solved (in a decentralized system, all participants are also data controllers, so the right of data subjects to rectify or forget cannot be exercised, as the blockchain ledger would be incomplete or inaccurate etc.).
Preparation for personal data breaches
The most important element in protecting against personal data breaches is prevention and preparedness, which means taking appropriate security measures. Based on technology neutrality, the requirement should be interpreted on a risk-sensitive basis, i.e. security measures should be proportionate to the security risk. Therefore, the involvement of a security professional and a lawyer (team) is often required to establish the necessary measures.
Part of proper preparation is preparing the staff on how to respond in the event of a privacy incident. The tight deadline for reporting can only be met if, from the time the incident is detected, everyone involved in incident management knows exactly what to do, is aware of the chain of reporting and responsibility, and the deadlines laid down in internal and external regulations. However, regular education and training and continuous preparation are essential for this.
For larger organizations, it is definitely worthwhile to set up an incident response team. In addition to gaining experience in incident management, team members also have the advantage of being able to channel inputs from areas that are often, but not necessarily, involved in incident management processes (e.g., HR, PR / marketing).
It should also be borne in mind that the data processor may also play an important role in the events, and therefore the data controller should pay special attention in the auditing of the data processor as set out in Article 28 (3) point h) of the GDPR to the whether the data controller has the necessary internal regulations for incident management, ensures the obligations required by the GDPR, conducts regular training, and maintains contact and control with the data controller and timely notification etc.
Another important question is whether, if a key function concerning data breach management (IT, law, security, data protection officer, etc.) is outsourced, i.e. whether the person performing the tasks is not an employee of the data controller, is there a legal mechanism that extends the scope of the data controller’s internal rules, does he participate in the data controller's internal training, and to have the same level of preparedness as the employees.
Obligations concerning the management of personal data breaches
The GDPR's approach to personal data breaches is to enforce the principles of transparency and accountability by requiring the data processor to self-report to the data controller, the data controller to self-report to the supervisory authority, the data subject to be informed and the data breach to be recorded. However, a number of other steps are also necessary to fulfil these obligations.
If the data controller has appointed a data protection officer (DPO), the DPO will supervise the incident management process, keep contact with the supervisory authority and perform internal coordination tasks, and often also the DPO will be the contact person towards data subjects or will coordinate the communication with them.
The very first step, once the (suspected) personal data breach is detected, is to conduct the necessary legal analysis, i.e. to determine whether it is a personal data breach in the legal sense and whether one of the exceptions to the obligation to notify the authorities or to inform the data subjects applies. This is followed by official notification, registration and information of data subjects.
The most important things to know about notifications are that they must be made without undue delay, but if possible within 72 hours of becoming aware of the data subject's notification, and that there is an obligation to provide proof if the controller cannot comply within this time limit. The content of the official notification is prescribed by the GDPR itself, but like some other foreign authorities, the Hungarian authority also prescribes a mandatory notification form, so the notification is usually only incomplete if the controller does not have all the necessary data. The GDPR specifically allows for notification in phases to address this situation. This allows the controller to complete the notification with incomplete data and to comply with the transparency requirement of the GDPR by transmitting the relevant information to the controller as soon as it becomes aware of a new piece of relevant information. For many, this is not clear, but the notification of the authority can be withdrawn, so there is the possibility for the controller to review its previous decision and subsequently establish the above exception rule or decide not to consider the reported security incident as a data breach after all. The GDPR treats the obligation to keep a data breach register together with a notification, for the reason that the purpose of the incident register is to allow the controller to be verified in relation to the fulfilment of the obligations related to the notification.
The data controller also has an obligation to inform the data subjects. The notification must be made promptly and in such a way that the controller informs the data subject in a "clear and plain" manner of the incident, its consequences, the action taken to remedy it and the contact details of the controller. The GDPR contains four exceptions to the data subjects' information requirements, three of which relate to the consequences of a personal data breach (the breach did not inherently present a high risk to the data subjects or this risk was adequately addressed by the data controller through prior (e.g. encryption) or subsequent measures (e.g. the personal data of the data subjects were destroyed after the incident) and in one case the controller is exempted from the obligation to inform on the grounds that it would require a disproportionate effort to inform the data subjects individually, in which case it must inform the data subjects by publication.
Tasks after a data breach
The occurrence of a personal data breach may itself be a sign of a security vulnerability, inadequate infrastructure or regulation, so it is crucial that the controller analyses the personal data breach afterwards to identify what additional security measures can be taken to avoid similar situations in the future. Such an analysis, however, requires a fact-finding investigation, during which the investigating area or person gathers all the information necessary to conduct a detailed and accurate analysis.
The analysis should involve all functions affected by the data breach, but it is essential that the legal or compliance area, the DPO, and the security area are involved in the analysis (of course, in many cases these functions may overlap, in whole or in part, within the controller).
It is also possible that the competent authority may also require the data controller to take further action, and the controller should obviously consider the authority's requirements in its analysis, but this is in no way a reason for the data controller to delay its internal investigation until it receives some feedback from the authority or information that the authority will not start any proceedings in relation to the incident.
As we can see, handling a personal data breach is a complex process that requires the involvement of experts. Our first and foremost suggestion in relation to data breaches is that internal preparation for data breaches should not be abandoned. In many cases, the extent of the damage caused by an unprepared organisation can be down to luck. Preparedness is not a one-off exercise, but consists of regular processes, training, review and exercises.
Our second suggestion is that the data controller will not do well to trying to substitute adequate preparation with paper tigers. When a personal data breach occurs, a rapid response is not only the right thing to do, but a legal requirement, and it is too late to find the right professionals who can actually deal with the situation.
Our third suggestion is that the data controller should be aware of the risk and the corresponding investment required to ensure data security. For data controllers and processors handling a lot of personal data, possibly special categories of personal data, the risk may be many times what they assume, just as a company operating in a fully digitised workflow may handle hardly any personal data, so the relevant risk may be lower than management thinks. Evaluating the risks associated with data management, including incidents, is anyway an integral part of designing a GDPR-compliant data processing system.
Finally, our last suggestion is that a data controller with the right infrastructure, internal regulation and trained employees should also ensure that it has an appropriate privacy and data security culture. There should be consequences for non-compliance. Data protection, if it is really relevant for the company, must be a real part of the company's values and priorities, otherwise any professionally built data security will not be long-lived.