Data breaches - big or small - occur on a daily basis. Although technical security measures can cover obvious risks, organizational measures should not be underestimated either.
In this blog, I discuss a number of organizational measures that can (or sometimes must) be taken in the contractual, policy and educational areas. These measures can streamline and optimize reporting processes to generally meet the reporting obligations under the AVG. For example, consider training your employees how to handle personal data in a secure manner.
In principle, a data breach, also referred to as a "personal data breach" in the AVG, must always be reported to the relevant supervisor. This can only be deviated from if the data breach is unlikely to pose a risk to data subjects. Recent guidance from the European Data Protection Board ("EDPB"), the EU regulators, suggests that this threshold is quite high. Examples of cases that do not require notification are (1);
Incidents involving personal data already disclosed (lawfully) by other means;
Incidents involving encrypted data where it can be determined that the key to decrypt the personal data was not part of the incident;
Incidents where the personal data was made unreadable before the incident and where the backup is still intact.
The foregoing is in line with earlier version of the guidelines.
When a data breach is likely to pose a high risk to data subjects, the data subjects themselves must also be notified. This can be done directly, for example via an e-mail or letter, or indirectly, for example via a notice on the website.
In both cases, information on the nature of the breach, the possible consequences and the measures taken must be provided.
When a data breach occurs, action must be taken quickly. Not only does the duty to report need to be met within 72 hours of discovery, but any negative consequences and/or damage must be mitigated as much as possible and as quickly as possible.
Whereas the technical measures can limit data leaks or signal them in appropriate cases, organizational measures contribute to the proper reporting and handling of a data leak. Below are a number of frameworks within which measures can be taken.
A data breach can affect any company. If an organization qualifies as a responsible party and a processor it engages is affected by a data breach, the responsible party must report the data breach. Thus, it is important for a responsible party to exercise some degree of influence over how an engaged processor handles data breaches and other types of security incidents.
It follows from Article 28 AVG that a processing agreement, which must always be entered into when a controller engages a processor, must in any case contain a provision stating that the processor will assist the controller in being able to comply with the obligations around reporting data breaches. How this should be fulfilled does not explicitly follow from the AVG.
It is advisable to elaborate in the processor agreement what specific information should be provided when a data breach occurs. This will enable a controller to comply with its reporting obligation as well as possible, or at least to investigate whether it should comply with it. It is also important here to clarify whether information must only be provided in the event of a personal data breach or also when there is 'only' a security incident (without personal data being involved), on what period the information must be provided and to what extent the processor is available between the period of the notification to the controller and the handling of the data breach.
If a processor does not comply with what has been agreed, cooperation can possibly be demanded in (logically) summary proceedings. For example, the interim relief judge in Rotterdam recently ruled that a processor had to cooperate in a "loyal and generous manner" in providing information and follow-up requests from the controller in that regard, as this followed from the applicable processor agreement (2).
Through the agreement, then, an attempt can be made to get a grip as far as data breaches outside one's own organization.
It is equally important to follow up on data breaches internally in an appropriate manner. A streamlined reporting process helps ensure thorough investigations and timely reporting when required.
For a successful internal policy, it is first of all important that employees understand what a data breach is and, to a greater or lesser extent, can determine when it might occur. Next, information about the (possible) data leak must reach the persons within the organization as quickly as possible (i) who can implement measures to limit the consequences of a data leak as much as possible and (ii) who can determine whether there is a duty to report. Finally, it must be ensured that every data breach, reported or not, is recorded in an internal register. If a choice is made not to report a data breach, it is advisable to include the considerations in that context in the register as well.
An internal data breach policy also contributes to accountability, EU regulators say.
Adequately educating employees can also go a long way in controlling data breaches in the first place and then reporting any data breaches.
Education and training should focus primarily on prevention: how to handle personal data appropriately and securely. This touches on a security or computer regulation that is ideally available within the organization. If employees are aware of what is and is not permissible, the likelihood of "man-made" data breaches may decrease.
Data breaches are nevertheless inevitable. It is therefore important that employees also know what could possibly qualify as a data breach. This is so that they can recognize any data breaches and then report them to the appropriate people within the organization.
Finally, employees should be made aware of the internal reporting process: to whom should I report a potential incident? This step can help to quickly manage a potential data breach.
Simply making internal documentation available will not always lead to the desired effect as it cannot be assumed that every employee will go through such documentation. Mandatory training or (online) education can help in this regard, as it actively makes employees aware of security requirements, data breaches and possible consequences.
As an organization, it is important to be well prepared for a possible data breach. Since a data breach cannot always be prevented, it is necessary to be able to act appropriately if one occurs. In addition to technical measures, organizational measures in various areas can provide a solution for optimal preparation.
A data breach in itself is not by definition unlawful. The failure to report it when it should have been reported, or the lack of reasonably appropriate measures that allowed a data breach to occur, is. Therefore, be prepared.
https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf
https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:RBROT:2023:2931
