GDPR Learning Hub

login/sign up
Menu
login/sign up
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Information about GDPR

Companies must prevent personal data breaches

Companies shall prevent personal data breaches by taking appropriate technical and organisational security measures. A personal data breach occurs when personal data is, for example, deleted or changed unintentionally. The same applies when any unauthorized person gains access to personal data. 

The Principle of Data Accuracy according to GDPR

In some cases, personal data breaches can have major devastating consequences for data subjects. For example, a personal data breach may result in: 

  • Identity theft,
  • Fraud,
  • Discrimination. 

Companies must prevent personal data breaches in accordance with GDPR

There are several things that companies can do to prevent personal data breaches. In addition, it is important to act as quickly as possible if it occurs, as it can minimize the consequences. Therefore, it is good to create a good safety culture within the company’s operations. 

Here are some examples of what companies can do to prevent personal data breaches:

theme_placeholder

Procedures

It is important to detect personal data breaches as quickly as possible. Therefore, it is good to create written internal routines for employees that are clear about how they can do it. For example, through regular checks of access permissions, testing of vulnerabilities in digital systems, etc.

theme_placeholder

Action Plan

The company should prepare before a personal data breach occurs for what employees should do if it occurs. This way, they can act faster. The action plan may also be complemented by a checklist. Such documentation facilitates the process and management of personal data breaches, all of which ensures correct action under the GDPR.

theme_placeholder

Documentation

It is important to document all personal data breaches, as this is a requirement under the GDPR. This also applies to controllers who do not need to notify the responsible data protection authority or data subjects about the personal data breach. Therefore, it is important that the company makes sure to produce the documentation needed for documentation of a personal data breach. For example, a logbook and related checklist.

The European Data Protection Board (EDPB) has published guidelines with examples of notification of personal data breaches. There they describe the various personal data breaches and go through their possible effects. The guidelines are helpful in understanding the analyses that need to be made in the event of a personal data breach. (Click here to read it)

EDPB binding decision on personal data breach

The Irish Data Protection Authority, together with several other data protection authorities in the EU, carried out supervision of a large company after they reported a personal data breach. However, the DPAs from the other EU countries did not agree with the decision proposed by the Irish DPA. Therefore, they referred to the dispute resolution procedure of the EDPB. 

The personal data breach involved posts from nearly 90,000 users becoming public due to programming errors. Among other things, the EDPB drew attention to the fact that data subjects wanted to limit the readership by keeping their posts private. The consequence for the company was a fine of EUR 450 000, issued by the Irish Data Protection Authority. 

The position of the Court of Justice of the European Union (CJEU) on damages in the event of a personal data breach

According to the Court of Justice of the European Union (CJEU), data subjects who have had their personal data leaked may be entitled to damages, if there is a legitimate fear that they will be misused in the future. The CJEU had received a request for a preliminary ruling from the Supreme Administrative Court of Bulgaria, following a number of actions brought against the Bulgarian tax authorities. Personal data had been leaked and the data subjects therefore demanded damages. The CJEU stated that data subjects may be entitled to damages. On the other hand, this is not something that a responsible data protection authority seeks, but something that data subjects may demand themselves, possibly by bringing an action against the tax authority in court. Please note that damages and fines are not the same thing. 

More information about Data Breaches

Informing data subjects and the national data protection authority in case of personal data breaches

In some cases, companies that detect a personal data breach must inform the data subjects affected by it. In addition, companies may need to notify the personal data breach to the national data protection authority, or the responsible data protection authority in some cases. Whether the company needs to inform the data subjects or the data protection authority, the personal data breach must always be documented by the company. Please note that the deadline for notifying a personal data breach is 72 hours from the discovery. 

Want to learn more?

Read more
Scroll to Top