The term “data breach often evokes an image of a hooded hacker glued to his screen while pirating large companies and administrations, like Rami Malek in the Mr. Robot series. However, data breaches cover a much broader spectrum of situations which mobilize teams and when badly managed, cause blockages, slowdowns and stress which could be avoided.

What is a data breach?

In a company, the majority of data breaches come from human errors that are involuntary and without malicious intent, such as sending emails to the wrong recipient, whether or not losing digital documents (for example, a USB stick containing the security plans for the London Heathrow Airport), etc.

Source: Rapport annuel 2019 de la Commission National pour la protection des données (CNPD)

Of course, you know that a data breach is characterized by the destruction, loss, alteration, unauthorized disclosure or access, accidentally or unlawfully, to personal data. There are three types:

  • Confidentiality breaches, meaning that there has been an unauthorized disclosure or acess to the data;
  • Integrity breaches, where the data is modified or altered; and
  • Availability breaches, where the data is lost or destroyed.

Do you have a data breach procedure?

A data breach can cause chaos in a company that a procedure would curtail.

The application of a clear procedure would allow those involved to avoid errors related to the stress of a data breach. A procedure would facilitate the accurate qualification of the data breach and provide guidance for adopting the appropriate reaction.

Recording of a data breach in a data breach register

Each data breach must be documented in a data breach register, regardless of the seriousness of the incident. This confidential register may be consulted by the supervisory authority, in Luxembourg the CNPD, particularly when a data subject files a complaint with it.

The register is obligatory and must contain at least:

  • The nature of the breach;
  • The file(s) impacted;
  • The data subjects and their approximate number;
  • The possible consequences;
  • The measures taken to stop the breach or limit its consequences; and
  • Depending on the situation, an explanation of the absence of notification to the supervisory authority or information to the data subjects.

Should the CNPD or data subjects be informed?

You should assess the risk caused by the breach to the rights and freedoms of the data subjects to know whether you have the legal obligation to notify them. The risk evaluation table in your data breach procedure will allow you to act quickly because the clock is running; you have 72 hours (including weekends and public holidays).

If no risk is identified, no notification need be made. However, if there is a risk to the privacy of the data subjects, you must notify the CNPD of the incident with 72 hours of becoming aware thereof. Finally, when there is a high risk, you must also inform the data subject(s). There are certain exceptions, but they should be applied narrowly and in a limited manner, and must be explained in the data breach register.

It is useless to imagine a company without data breaches, something the CNPD knows when it requests to consult a data breach register upon receiving complaints. However, putting into place a procedure to react adequately and a regularly updated data breach register will allow you to react adequately, without having to mobilize too much of the personnel and in compliance with the law to avoid CNPD sanctions.

For more information and assistance with your GDPR procedures, contact us at rlesqueren@dsm.legal.

Renaud Le Squeren
Partner
Avocat à la Cour		 Héloïse Cuche
Senior Associate
Avocat à la Cour
Alison Front
Associate
Lawyer