Publications

How to manage a personal data breach?
Publié le 24 December 2018

The accountability logic promoted by the new personal data regulation leads professionals of all sizes to be concerned about the security of data processed in the context of their activities.

Today, internationally renowned companies such as social networks, postal services, or large hotel companies are subject to security breaches with considerable impacts. In line with this approach, the French Data Protection Authority (CNIL) received no fewer than 1000 notifications of violations in 2018, including 724 since the entry into force of the RGPD on 25 May last, covering a huge number of people concerned (more than 33 million individuals)[1].

It is therefore essential to have an organisational and procedural process in place to deal with any security incident of any kind. From identification to threats eradication, everything must be managed and structured within the company to prevent a personal data breach from occurring again.

 

Pillar number 1: Identification of data breaches and risk assessments

Launching an internal management procedure is not efficient if the company is not facing a personal data breach. But first, what is a personal data breach? It is a security breach that would result in the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of personal data”[2]. Such security breach can be of any kind (logical, physical, or even organizational).

The existence of a security breach may reveal several weaknesses, including the inadequacy of the protective nature of the measures in place within your company’s information system, or simply the absence of technical and organizational measures, which are required by the GDPR[3].

To ease the identification step, the company must clearly identify a violation of personal data if it wants to set up the procedure required by applicable regulations. Indeed, the existence of a security incident that does not involve personal data will not lead the company to apply the GDPR. For example, a security incident may be materialized by a breach of the rules applicable to the company’s internal processing.

Once the personal data breach has been identified, it is essential to analyse the risk and the impact of this violation for the data and data subjects. To do so, the company will have to pay particular attention to the nature of the breach, its scope (types of data affected, volume of data affected), the number of data subjects potentially affected, the nature of the impact (material, physical or even moral), or even the company’s line of business.

These guidance points will help the company determine the exact nature of the violation (confidentiality, integrity, data availability)[4] and to adapt the procedure to ensure the best management of the breach.

 

Pillar number 2: Establish a procedure dedicated to the management of data breaches

The purpose is to define a framework describing the steps and means to contain, manage and remedy to any identified breach of personal data.

An adequate breach management process first implies the existence of a governance system, embodied by a group of competent persons within the company, which can be called “crisis committee” for the largest companies. This group should include all the necessary skills to ensure the right organization is adopted in the event of a data breach, but also to perform the evaluation of the breach in its legal, technical, financial or reputational aspects.

Once this foundation is built, it will be easier to implement an internal process specifically dedicated to the resolution of data breaches. This foundation will help define the roles and responsibilities of each stakeholder when a breach occurs and will determine all the tasks to be implemented in response to this event.

The process must ensure a certain stability over time and must above all involve all employees: it is indispensable to spread the process through the company in order to establish a culture of personal data security, in particular through trainings.

 

Pillar number 3: Document the breach (both internally and externally)

Recording a personal data breach is indeed carried out at two levels.

Internally, the objective is to record the event in a register dedicated to this purpose[5]. When such an incident occurs, it is necessary to document at least the facts, the consequences of the breach, as well as the measures taken to remedy to it and mitigate its impact.

This record should log all breaches of personal data identified by the company, including the ones that are not subject to external notification.

As is required by the GDPR[6], the notification of personal data breaches must be made to the supervisory authority, and even to the data subjects in specific circumstances.

Regarding the notification to the supervisory authority, it must be made within 72 hours of the controller becoming aware of the incident, provided there is a risk to the rights and freedoms of the data subjects, regardless of its seriousness. It is therefore essential to have a specific process for managing data breaches so that the Controller is reactive in the processing and reporting of the security incident.

If the 72-hours deadline cannot be met, the Controller must necessarily justify the delay with compelling reasons. To assist the company in carrying out this notification, the CNIL provides a form indicating the information required for a complete and compliant notification[7].

Regarding the notification of data subjects, they must be informed of the breach as soon as possible if it poses a high risk to their rights and freedoms[8]. That being said, the GDPR provides the Controller with some a flexibility by giving the option to not notify data subjects when:

  • Technical and organisational measures are implemented on the personal data affected by the breach, for example measures rendering the data unintelligible to any person who is not authorised to access it;
  • Measures are implemented ensuring that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.

As with the notification to the authority, data subjects must be made aware of the content of the data breach (facts and consequences), as well as the measures taken to remedy to the problem and mitigate the risks.

In the overall management of the violation, the DPO will play a role in the risk assessment and will act as a contact point for the supervisory authority and the data subjects. He has an important responsibility in the process as he coordinates the steps to be carried out by the various stakeholders.

A personal data breach is therefore everyone’s concern and will involve more or less people depending on the size of the company. Its management must be subject to rigorous supervision. Current events show us that the attacks known by the largest entities may have affected hundreds of millions of data subjects and involved significant amounts of personal data[9], and the remediation of these violations will not be possible without the establishment of the right process.

 

[1] https://www.cnil.fr/fr/infographie-bilan-4-mois-de-rgpd-en-chiffres-notification-de-violation

[2] Article 4.12 of the GDPR

[3] Article 32 of the GDPR

[4] Typology of data breaches as provided for in the Guidelines issued by the G29 on the notification of personal data breaches, adopted on 3 October 2017 and revised on 6 February 2018

[5] Article 33.5 of the GDPR

[6] Former article 34 of the French Data Protection Act before its amendment adopted on 20 June 2018.

[7] https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles

[8] Article 34.1 of the GDPR

[9] https://www.businessinsider.com.au/data-hacks-breaches-biggest-of-2018-2018-12/amp