We all hope we’re not subject to one (either as controller or as data subject) but most likely in one way or another you will have witnessed a data breach at some level at one point.
Definition of Persona Data Breach
A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A recent experience
When looking for some new spectacles I went in to a specialty store. The store was reasonable busy and tight fitting. I went to the front desk which was a small little desk in the middle-end of the store. There was no person behind the desk and a nice lady came from the back, where more people were being helped and took my information so that I could have my eyes checked. Well trained in GDPR she asked me if she could process my data in accordance with the GDPR. I consented. I noticed immediately a pink slip with customer details on it, including name, address, phone number and prescription details, insurance details. This had been laying around and when I looked around the desk a whole plastic bucket of these pink slips from other clients were within arm’s length for anyone to grab. Sure, they had camera’s hanging up. But that would be more a reactive measure. Surely there’s a better and safer way to store sensitive information?
Minimize your data, because you can’t lose what you don’t have
One of the principles of processing personal data is the minimization principle. Only store and process personal data you need and not just what you want (of course taking into account that you must have a lawful basis to begin with to process personal data). But let me put it this way: if you’re a hairdresser collecting personal data from clients whom give you consent and besides the obvious, the other data you collect is whether they have children, what their favorite color car is, and so on. If you don’t need it for your purpose, you may not process it. You must ensure the personal data you are processing is:
- adequate – sufficient to properly fulfil your stated purpose
- relevant – has a rational link to that purpose, which in the example mentioned above is not the case
- limited to what is necessary – you do not hold more than you need for that purpose.
What to do in case of a data breach?
It’s not just what to do once a data breach occurs, but also what preparations you should have made before the proverbial hits the fan.
- Firstly, you should already have a process in place to assess the potential risks to data subjects as a result of a breach (you would keep track of this in a privacy risk management register).
- You should also have a process in place to notify the Data Authority within 72 hours of becoming aware of the breach. Even if you don’t have all the ins and outs, you still need to notify the Data Authority within 72 hours.
- You should be aware of what information you must give the data authority about the breach. You can find this information on their website.
- You should also have a plan or process in place in the event that you need to inform data subjects who were affected by the breach when it’s likely to result in a high risk to their rights and freedoms. You should know when to inform and what information you’re required to give them.
- You don’t always have to notify the data authority of a breach. But you need to document them all. Why? This is part of your proof of accountability and your (future) risk assessment. If you don’t log breaches/mistakes you can’t learn from them either.
Need help creating a Privacy Risk Register?
Having a privacy risk register will help you recognize risks, assess risks and know when and how to respond to potential threats. Please contact me for more information to create your own privacy risk register.
Would you like to learn more about breaches and privacy & risk issues?
Sign up now for the 60 Day Privacy & Risk Challenge, starts February 3rd.