A personal data breach, what should I do?
First of all: prevent it! At any rate, try to prevent it. Preventing starts with a sound security of your environment and raising awareness. Securing your digital environment must meanwhile be top priority, which became apparent again this week when for the second time in a short period a worldwide cyberattack took place. Where the world this year in May was still hit by the ransomware WannaCry, (/kennis-delen/nieuws/tips-ter-bescherming-van-je-organisatie-tegen-ransomware-als-wann) on 27 June 2017 a worldwide attack took place with a new variant of the Petya-ransomware. The Dutch Data Protection Authority (DPA) holds the point of view that there is a personal data breach if it concerns ransomware that has encrypted files containing personal data.
In the blog of 31 May 2017 we gave you 10 tips for getting your organization ready for the European General Data Protection Regulation (GDPR). This Regulation will come into force on 25 May 2018 and will then replace the Data Protection Act.
In this blog I will explain in more detail tip 3: Draw up a procedure for personal data breaches, so that it becomes clear which steps your organization must take if there is a personal data breach or a suspicion thereof.
What is a personal data breach?
If personal data fall into the hands of third parties who should not have access to those data or if they are lost and these events appear to have been caused by a security problem, there is a personal data breach. This personal data breach must be reported to the DPA within 72 hours after the discovery thereof by you or, if at an earlier time, your processor or sub-processor. Apart from that the personal data breach may possibly have to be reported to the data subject as well. Whether this needs to be done is dependent on the circumstances of the case. In my blog of 16 May 2017 (/kennis-delen/blog/overzicht-meldingen-datalekken-eerste-kwartaal-2017) I also considered personal data breaches and the question what to do if there is data breach.
Changes under the GDPR?
The GDPR will not bring about a lot of changes with regard to the obligation to report leaking of data. The difference with the current obligation to report is that under the GDPR the DPA must be notified only if there is in actual fact a data leak. What applies currently is that a security incident is already a personal data breach if the unlawful processing of personal data cannot be ruled out. Another difference is that the GDPR will set more stringent requirements to the registration of personal data breaches.
Precautionary measures, procedure and roadmap
It is important to ensure that no breach of personal data will occur. Therefore it is of crucial importance that the security of the systems within your organization in which personal data are processed are up to par and up to date. You can achieve this by maintaining a strict patch and update policy for your system software, firewall and antivirus software.
But this is not sufficient in itself. It is also of major importance that the employees in the organization are clearly aware of the risks. A personal data breach can be caused easily because, for example, a USB-stick with personal data just lies around or files with personal data are too easily accessible for too many people. Maintaining, communicating and monitoring clear rules in this field will contribute to the awareness and reduces the likelihood of a personal data breach. In a later blog in this series of blogs about the entry of GDPR the security measures will be dealt with in more detail.
Despite all precaution measures a personal data breach may occur. How should you act in that case? Below you will find a useful roadmap.
First of all certain steps must be taken for being able to act swiftly and properly. This includes:
- Make clear arrangements
Contractually require your processors and sub-processors to report personal data breaches as soon as possible, for example within 24 hours after discovery, with all necessary information. This in order to enable yourself to comply with your own obligation to notify the DPA.
- Incident management
Ensure that there is an automated control on hacks and malware. Make arrangements within your organization for the reporting of internal and external security incidents; establish a first point of contact within the organization, agree about how quickly there must be reported and acted and ensure compliance with the arrangements that have been made.
- Communication and reputation
Initiate a plan as to how to communicate if there should be a personal data breach, with both the subject data and the press. This can contribute to the prevention of a loss of reputation. Determine already at this stage whether or not external experts will be engaged.
Take out a cyber risk insurance. Pay particular attention to the coverage and deductible excess. And also pay attention to coverage in respect of possible penalties.
Should there be a personal data breach, you will in any case be prepared for it to a certain degree. If a personal data breach occurs, make sure that the followed steps are taken:
- Infringement on security?
Check whether personal data have gone lost or whether there has been unlawful processing, for example unauthorized access to personal data or destruction or inaccessibility (security incident).
- Detect which security incidents occurred and examine the cause thereof.
- Examine the security incident: what is the nature of the data that have been affected are they special (for example medical) or confidential (for example financial) personal data and what happened to these data exactly?
- Examination of the extent of the security incident: how many people were affected and what is the number of data per affected person and are the affected data shared within one chain?
- Examine which impact the personal data breach has on the data subjects (customers/prospects/ personnel/citizens): are there vulnerable groups (for example children, elder people, sick or mentally ill persons) and could there possibly be a financial disadvantage?
- Finally: repair the infringement. Take measures in order to limit the consequences of the security incident and to prevent any recurrence.
3. Obligation to notify the DPA
Report the personal data breach if there are seriously adverse consequences, or a considerable chance thereof in view of the protection of personal data. For reporting you should use the Meldingsformulier Datalekken.
4. Informing data subjects?
If moreover the infringement on the security is likely to have unfavourable consequences for the private life of the data subject, there is not only an obligation to report to the Personal Data Authority, but the data subject himself must also be informed. You yourself will have to weigh whether or not this is at issue. There is no obligation to notify if the data have been made incomprehensible or inaccessible (for example encryption or remote deletion).
5. Registration security incidents
The GDPR sets stricter requirements to your own registration of the personal data breaches that occurred in your organization. Therefore please keep an overview showing all incidents that must be reported to the DPA and keep this overview at least one year and if the data subjects are not being informed at least three years.