Personal Data Breaches and GDPR measures
Companies processing personal data of EU citizens must notify the Supervisory Authority in case of personal data breaches and take measures. Here you can read information about personal data breaches and GDPR measures, such as notification requirements according to GDPR.
Technical and Organizational Security Measures according to the GDPR
According to the GDPR, personal data breaches must be reported to the Supervisory Authority within 72 hours. It is the Personal Data Controller that must report the breach. A personal data breach is a security incident, that can involve a risk to human rights and their freedoms.
GDPR also requires companies to introduce different types of technical and organizational security measures, to protect personal data in different ways.
The technical and organizational security measures that the company implements must be appropriate in relation to the nature of the personal data. For example, in relation the risks of the processing, the cost of the measures and the technical possibilities.
An example of an organizational security measure is the introduction of policies that all employees must follow. For example, data protection policy, IT policy, policy for annual password changes, etc.
A technical security measure is to introduce digital security systems. For example, systems that detect intrusions, attempted intrusions, loss or destruction of personal data, antivirus software, etc.
Common Personal Data Breaches
Sending emails to the wrong recipiant
Sending an email that contains personal information to the wrong person or with the wrong information is the most common personal data incident two (2) years in a row according to reports from the Privacy Protection Authority. For example, this can be done by misspelling the recipient’s email address. Therefore, it is good to introduce routines for how employees should check that messages are sent to the correct recipient. It is also good to have a routine for how employees should act if an email is sent to the wrong person or similar. The company is responsible for the incidents and therefore it is good to have clear instructions and policies. The employees must know these and work according to them.
Loss or theft
Loss of, for example, mobile phones and computers can unfortunately happen. Often there is personal information in a mobile phone, such as name and phone number. Many people today work with their computer and use calendars or documents where they enter personal information. Therefore, it is very important to make sure you have a password. Among other things in the hardware and in the internal systems and registers that the company uses. In addition, it is important to have routines for what should happen if an incident occurs. For example, it is good if it is possible to block a telephone or to empty a digital storage space remotely. In this way, you can prevent personal data from falling into the wrong hands and minimize the risks of the incident.
Hacking and Phishing
Unfortunately, it is common for companies and their digital systems to be hacked. Therefore, it is very important to try to work to prevent it. For example, it is good to have different passwords, for different systems, which are very complicated, long and which consist of different characters, letters and numbers. There are hackers today who use robots to test themselves with different passwords to try to access content. It is good to put in place systems that detect attempts at intrusion. Also systems that can block a user from trying to log in with the wrong password too many times or similar. If a data breach occurs, it must be reported to both the Police and the Privacy Protection Authority.
Printed documents and documents containing personal data. For example, an employment contract or other agreement may be lost or in the wrong hands. It is important to be organized and to think about where such things are stored. One suggestion is to have physical documents in a locked locker, out of reach of unauthorized persons. For example, it is important to ensure that documents containing various personal data are not visible or accessible on an unmanned desk where unauthorized persons have access or the like.
Content of a notification under the GDPR
A common question many entrepreneurs ask is, among other things: “What should I do if personal data breach occur?”
First and foremost, it is important to have internal routines regarding what needs to be done if it happens.
Also, it is important to first report the incident to the Supervisory Authority, and sometimes also to the Police. According to the GDPR, such notification must be made within 72 hours.
Notification according to Article 33 of the GDPR
Article 33 of the GDPR also contains a provision specifying what such a notification must contain. These are mainly the key parts below:
- The report must include a description of the breach and the type of incident in question.
- The report must also, if possible, contain information about the types of persons and categories of personal data that are affected by the incident.
- The company must also report information on the approximate number of personal data that are affected by the incident.
- The report must also contain the name and contact details of the person who can provide more information about the event. For example, a manager or data protection officer.
- The company must also describe what the probable consequences of the breach are. And what measures the company has taken to reduce the consequences of the incident.
- The GDPR also states that the company must document all incidents internally. For example in a logbook. This should be done so that the Supervisory Authority can check that the company complies with the GDPR.
Next, it is important to do as much as possible to prevent the negative effects of an incident.
The more sensitive the personal data is, the more security the company needs to have around it. In some cases, the company must also contact the data subjects who have been affected by the breach and inform them of what happened.
News about GDPR and reviews from supervisory authorities
In addition to this information about personal data breaches and GDPR measures, you can also read our GDPR summary. And also about various news about the GDPR on this website. For example, audits carried out by Supervisory Authorities and sanction fees that they distribute. By learning from mistakes from others, it is possible to avoid making similar mistakes yourself. In addition, you can find information that is important and good to know as an entrepreneur as well as guides.
Summary of the GDPR for Companies, Entrepreneurs and Businesses
There is a lot of information about the GDPR that is important for companies, entrepreneurs and businesses to know about. We have therefore written a GDPR Summary and mention various key elements. Therefore, we are able to provide an overview of the GDPR, what it means and what companies must do to comply with the EU regulation.