Data Breaches
Risk assessment when a personal data breach occurs
Companies shall carry out a risk assessment when a personal data breach occurs. A personal data breach is a security incident that means that someone unauthorized has access to personal data, or that they are changed or destroyed. Article 4 (12) of the GDPR includes the description of a personal data breach. By conducting a risk assessment, the company can assess what measures they need to take to minimize the risks and consequences of the personal data breach.
Companies shall carry out a risk assessment when a personal data breach occurs
Below you can read about some factors that companies should take into account when carrying out the risk assessment:
What kind of personal data breach it is
Depending on the type of personal data breach, the consequences may vary. In the worst case, it has serious consequences. For example, if a credit card number or passport photo leaks and there is an identity theft, fraud or similar. In many cases, it is also worse when the personal data is a combination of different types, which is good to have in mind.
Nature and Sensitivity of Personal Data
The more important the personal data, the greater the risk that the rights and freedoms of data subjects will be affected. Therefore, it is important to analyse the importance of the personal data covered by the personal data breach. In the GDPR, there are four categories of privacy-sensitive personal data, of which sensitive personal data regulated in Article 9 of the GDPR constitutes one of the categories.
How easy it is to identify the data subjects
Data that can be linked to a physical living person is personal data. The link can be made either directly or indirectly in combination with other data. It is important to analyse how easy it is to identify the data subjects through the personal data covered by the personal data breach, when carrying out the risk assessment. This is necessary to analyse the potential consequences of the personal data breach.
If a company has encrypted personal data and someone unauthorized gains access to some of the encrypted data, but cannot read it without the other parts, it may be less serious because the risk of abuse is less.
Consequences that a personal data breach may have for data subjects
It is important to analyse the consequences that the personal data breach may have for the data subjects. In addition, it is good to analyze how it is possible to minimize the risks.
For example, risks can be minimised by informing data subjects, to give them the opportunity to take action. In addition, companies shall take their own appropriate measures to minimise risks.
If it is known that criminals have gained access to the personal data, there is a higher risk that it will be misused.
Type of data subjects and type of business
It is important to analyse the types of data subjects affected by a personal data breach. For example, children and the sick have stronger protection by law, because they are extra worthy of protection. Therefore, it may be more serious if the personal data breach concerns their personal data.
Depending on the type of business the controller operates, the risks differ. If a medical clinic is affected by a personal data breach where sensitive personal data about health conditions are leaked, it is a more serious incident than if, for example, information about who is a subscriber to a film service is leaked.
Volume of data subjects and number of personal data
In addition, it is important to analyse the volume of data subjects and personal data covered by the personal data breach.
More information about data breaches
Documentation in the event of a personal data breach
Companies must always document any personal data incidents that occur. In the documentation, the company must justify its positions and, among other things, describe what has happened. In addition, it is good for companies to establish routines for their employees where it is clear how they should act in the event of a personal data breach. This is good to do, so that the staff can quickly and efficiently manage the personal data breach and minimize the risks.