Do you always have to inform about unauthorized disclosure of personal data? Guidelines for administrators to properly report data breaches
The management of personal data violations is one of the many challenges that are imposed on data controllers by the GDPR. Administrators often have problems with determining whether and how to report a personal data breach to the President of the Office of Personal Data Protection (PUODO). The practice of notifying every data protection incident practiced so far by some entrepreneurs does not always bring the expected results. The last decision of PUODO imposing a financial penalty on an entity that posted excessive personal data of sports judges on the website, disrupted the entrepreneurs’ hopes that filing a violation on their own allows protection against negative consequences from the authority.
In order to help data controllers correctly observe the obligation to record and report breaches, the Office for Personal Data Protection prepared in June 2019 a practical guide, available on the office’s website.
When managing personal data violations, it is important to remember that:
• not only disclosure of the data constitutes a breach of data protection
A breach of data protection occurs in three forms: (i) confidentiality violations (personal information is disclosed to an unauthorized person), (ii) accessibility violations (permanent or temporary loss of access to personal data) and (iii) integrity violation (personal data are modified in unauthorized manner).
Therefore, we can deal with the violation not only when, for example, we send a file containing personal data to the wrong email address, but also when the computer disk is damaged, where we store personal data without making a backup or provide the third person with a password for the employee computer. It is worth sensitizing your employees to what events may constitute a breach of data protection, so that they know when they should be notified to designated persons.
• entering into a contract for entrusting the processing of personal data does not exempt from liability for data
The administrator is responsible for who processes personal data on his behalf. Before concluding the contract for entrusting the processing of personal data, it should be verified whether the entity with whom we conclude the contract actually guarantees an appropriate level of security, e.g. by conducting a survey and, in the case of key contracts, an audit. When drawing up the content of the processing contract, the data controller should ensure that it contains provisions ensuring that he receives information about the breach early enough to have time to prevent or reduce the size of violations and possibly notify the PUODO. A good practice is to indicate directly how many hours the processor has to inform the administrator about the violation.
• each violation should be recorded in the administrator’s registry, but not all should be reported to the President of the Office of Personal Data Protection
If a breach of data protection is found, the controller is required to investigate whether it entails a risk of violating the rights and freedoms of individuals and what the level of that risk is. In the absence or very low level of risk, it is enough to record the incident in the registry. A small risk will be e.g. a loss of a company’s laptop with employee’s personal data if it has an encrypted disk and if password is protected. The leakage of logins and passwords to customer accounts in a large-scale online store may be subject to high risk due to the risk of identity theft and customer exposure to financial losses. The administrator should implement in his organization instructions for estimating the risk of data protection breaches suited to the nature of his business and personal data being processed. It is worth using the guidelines of the Working Group at. 29 and seek the advice of specialists.
• it’s worth taking the time to prepare your application fairly
From the moment of finding the violation by the administrator to report violations to the PUODO should not take more than 72 hours. For this reason, in order to fit in on time, applications are often made very casually, with the omission of relevant information, e.g. the scope of the data that has been infringed or the category of data subjects.
The administrator has the right to complete his reporting after determining further details of the event. It is worth using this right and provide the body with full information. This will avoid a long explanatory procedure and respond to numerous inquiries about the circumstances of the violation.
• just reporting a violation is not enough
The work of the data controller does not end with reporting the violation and waiting for the authority’s response. Actions should be taken as soon as possible to prevent or limit the consequences of the infringement. Such actions may be addressed to persons who were recipients of disclosed data, issuing relevant messages, introducing additional security measures, changing passwords to information systems. High risk of violation is also associated with the need to inform the persons whose data have been exposed about the incident. Failure to notify the breach may not only result in liability on the grounds of the GDPR, but also impair the image of the controller. A breach of data protection should also lead the administrator to verify the currently held security measures in order to increase security.