We all hope we’re not subject to one (either as controller or as data subject) but most likely in one way or another you will have witnessed a data breach at some level at one point.
A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
When looking for some new spectacles I went in to a specialty store. The store was reasonable busy and tight fitting. I went to the front desk which was a small little desk in the middle-end of the store. There was no person behind the desk and a nice lady came from the back, where more people were being helped and took my information so that I could have my eyes checked. Well trained in GDPR she asked me if she could process my data in accordance with the GDPR. I consented. I noticed immediately a pink slip with customer details on it, including name, address, phone number and prescription details, insurance details. This had been laying around and when I looked around the desk a whole plastic bucket of these pink slips from other clients were within arm’s length for anyone to grab. Sure, they had camera’s hanging up. But that would be more a reactive measure. Surely there’s a better and safer way to store sensitive information?
One of the principles of processing personal data is the minimization principle. Only store and process personal data you need and not just what you want (of course taking into account that you must have a lawful basis to begin with to process personal data). But let me put it this way: if you’re a hairdresser collecting personal data from clients whom give you consent and besides the obvious, the other data you collect is whether they have children, what their favorite color car is, and so on. If you don’t need it for your purpose, you may not process it. You must ensure the personal data you are processing is:
It’s not just what to do once a data breach occurs, but also what preparations you should have made before the proverbial hits the fan.
Having a privacy risk register will help you recognize risks, assess risks and know when and how to respond to potential threats. Please contact me for more information to create your own privacy risk register.
Sign up now for the 60 Day Privacy & Risk Challenge, starts February 3rd.