Data breaches
Documentation in the event of a personal data breach
Companies must draw up certain documentation in the event of personal data breaches. In addition, in some cases, companies must notify the national data protection authority of the personal data breach. Data subjects should also be informed by the company, in some cases.
Demonstrate that the Company comply with GDPR
It is important to keep in mind that companies must be able to demonstrate that they comply with GDPR. If there is supervision at the company and the data protection authority requests to see the documentation of a personal data breach, the company violates the GDPR if the company does not have the necessary documentation.
Establish documentation of personal data breaches in accordance with GDPR
It does not matter whether the company concludes that they need to inform the data subjects or notify the personal data breach to the national data protection authority, when it comes to the requirement to document the breach. All companies must document all personal data breaches, regardless of whether the breach is notifiable according to GDPR or not. It is good to have the documentation digitally to avoid neglect, as it is against GDPR to not have the documentation.
Anticipate any personal data breaches
In order to be able to act as quickly as possible in the event of a personal data breach, the company must have already predicted various situations in which a personal data breach may occur. In this way, it will be easier to prepare how to act in the event of such a personal data breach. It is positive if the company prepares for different types of personal data breaches and cyberattacks, by establishing action plans and business continuity plans.
Among other things, this should be stated in the documentation:
Event
Information about what has happened and how it has happened. Information about the personal data breach should be noted in as much detail as possible.
Timing
The time at which the personal data breach occurred and when the controller became aware of it. It may be that the personal data breach occurred five days ago, but it is only today that the company became aware of it. In this case, the company shall note these two points in time in the documentation.
Measures
What measures the company has taken to minimize the risks and consequences of the personal data breach.
Notification of a personal data breach to a data protection authority shall take place within 72 hours of the company discovering the personal data breach. If it is a criminal offence, such as cyber hijacking, the company should also contact the police to report the offence to them.
The company should establish and implement written internal procedures
It is good for companies to have written internal procedures on how employees should act in the event of a personal data breach. It is important to act as quickly as possible, because it can have worse consequences as time goes on. In addition, the company needs to ensure that it adheres to the timeframes set out in the GDPR in the event of a notifiable personal data breach. Written internal procedures for employees can make the process more efficient and reduce the risk of employees doing something wrong in the process.
More info about data breaches
Preventing personal data breaches
In the GDPR, it is very clear that companies should prevent personal data breaches by taking appropriate technical and organizational measures to protect personal data. This is reflected in one of the seven (7) basic data protection principles; the principle of integrity and confidentiality. For example, companies can encrypt personal data and use a cloud service where they back up personal data. The more important the personal data is, the higher the security requirements.