You don't have to sue, but you do have to report it!

There are many ways in which data in your business can be compromised. Whether it be a targeted attack by computer hackers, a virus or simple human error. Do you know how to react to an unpleasant situation without being fined under the GDPR?

So. The game of time begins

If there is already an unpleasant situation where personal data may have been compromised, it is necessary to carefully assess the situation and it is also a fundamental obligation of every controller to report such an event to the Data Protection Authority without undue delay, ideally within 72 hours of becoming aware of it. If you want to avoid any potential prosecution by the authorities, it is definitely in your interest to start investigating the incident.

Everything stands and falls on communication

Once you have assessed the situation as a potential data breach, the aforementioned 72 hours to assess its impact begins. If you have sufficiently trained employees, this situation probably won't be that unmanageable. Make sure everyone in the company knows who to report the potential threat to and what circumstances to note when doing so. It is always better to report more than less.

But the duty to report does not always arise. If you assess the failure as a breach with no likely risks to the rights and freedoms of individuals, then you do not need to report. Determining the extent and consequences of a breach can be tricky. It largely depends on what personal data has been breached and which categories of subjects are involved. For example, any data about children is more highly protected. It is also difficult to compare a leak of health information with a leak of emails for a newsletter.

What exactly do I need to report?

First of all, you should provide a description of the nature of the breach and indicate which categories of data were affected. You also need to estimate the number of affected persons as accurately as possible. The Authority will ask you for information about the point of contact within your company. The controller should inform the Authority of the estimated consequences of the breach and a description of the remedial measures taken to mitigate them. Each instance of a breach (even one that is not reportable to the Authority) must be documented by the Administrator and measures must be set in place to ensure that the breach is not repeated.

You can't just get rid of liability

If you thought you were passing the buck to the outsourcer who processes the data for you, you'll be disappointed. In a situation where personal data is processed for you by an external entity, the external entity must report the incident to you as the controller without undue delay. You then take full responsibility and must investigate, evaluate and, if necessary, report the incident to the authority.

But the reporting process is not the end

You could say that the worst is over. Unfortunately, there's one more unpleasant situation you'll have to deal with. In certain cases, you have to contact the affected data subject directly. However, this step is usually only really necessary if the risk of harm to rights and freedoms is really high. Try to contact the person directly, as simply posting a message on a website will not fulfil this obligation.

Have you been in an uncomfortable situation where personal data has been compromised at your company? If you want to be sure you are handling the situation correctly, please do not hesitate to contact us, we will be happy to discuss everything with you.