DATA BREACHES &
Data breaches are often narrowed down to 'hackers' or 'being hacked'. However, a data breach under GDPR is not just an external threat. It includes any type or form of unlawful (thus intentional or unintentional but without a legal basis) data loss or destruction, or, access, viewing, or processing of personal data by anyone that is not authorized to do so. For example, receiving or sending an email to the wrong person that includes someone's personal data could constitute a data breach.
Not all data breaches need to be reported to the Data Protection Authority and/or your data subjects. Your Data Protection Officer must conduct a risk assessment and advice when reporting is mandatory.
You won't be fined for experiencing a GDPR data breach.
But you will be fined for your awareness, preparedness, and response to it.
Be Aware and Prepared
Be aware - and make your team aware - of what constitutes a data breach, set up protocols or operational procedures, who to contact in such event, and who is responsible for what task.
Assess and Act
In the event of a breach, set up mitigation measures against the breach.
The DPO must assess in how far the breach provides a risk to the rights and freedoms of the data subjects.
Communicate and Learn
Implement extra security measures, (re-)train staff, and, based on the risk assessment, your DPO must report the breach to the authorities and /or data subjects.
Log the breach and measures.
DATA PROTECTION AUTHORITIES
Which one applies?
All European Member State implemented a data protection office. This office can investigate, request evidence and pose fines on anyone processing personal data from data subjects in their Member State.
For example: if you process personal data from people in Spain, Lithuania and Sweden, then those three data protection authorities can investigate unlawful data protection activities.
If you have experienced a data breach that substantially affect Swedish data subjects, the Swedish authorities should become aware.
In the event of a data breach affecting multiple data subjects in different Member States, the authority in your Main Establishment can take the Lead.
The Main Establishment is the location where you are having your central administration and makes your managerial decisions on why and what of the data processing.
Companies without any establishment in the EU shall have to deal with every data protectionauthority of the Member State they process personal data. Hence, the requirement for an EU Representative.
When a data breach reaches different data subjects in more than one Member State, the authority where you report could inform the other authorities. In other events, the authority requests from you that you inform the other authorities yourself. Your Data Protection Office is the one who should report data breaches and communicate with the authorities.
On another note, different authorities may simultaneously investigate unlawful processing of personal data. You could be fined under one fine or under different fines, if the unlawful processing involves different unlawful actions in different locations.