Don’t forget to update your procedures!

In September of 2019 the National Commission for Data Protection (the “CNPD) updated its data breach notification form with the goal of facilitating the job of data controllers.

The form is accessible by clicking here and should be sent to: databreach@cnpd.lu

You can use the public GPG key to secure the transmission of information by encrypting it (accessible by clicking on the link or the CNPD’s website).

In case of a personal data breach, the organization’s data controller must notify the CNPD of the breach within 72 hours after becoming aware of it if the breach might create a risk to the rights and freedoms of the concerned persons. If the breach might create a high risk to the rights and freedoms of the concerned persons, they should also be informed thereof as soon as possible.

Human error

Did you know that according to the CNPD’s 2018 Annual Report, the main cause of 57% of data breaches is human error? And, most human error occurs when an existing procedure is not followed; when an existing security rule is subverted; when the personnel has not been sufficiently made aware of the confidentiality rules that apply; or, following an error due to inattention. Depending on the context, the establishment of a monitoring mechanism prior to the transmission of data could have prevented this type of incident.

Source: CNPD’s 2018 Annual Report

Thus, it is essential to make aware and train personnel, as well as to have a procedure to follow in case of a data breach, and know how to react in case of a data breach and determine who internally will have the responsibility to do the follow up, particularly to avoid missing deadlines.

Data breach register

All personal data breaches must be documented by the data controller, whatever the risk for the rights and freedoms of the concerned persons. Careful attention should be paid to this as it is easy to verify in case of monitoring by the CNPD.

Review: What is a personal data breach?

A personal data breach is a security breach accidently or illicitly causing the destruction, loss, alteration or unauthorized disclosure of personal data which is transmitted, stored or processed in a manner other than that authorized, or the unauthorized access of such data.

Data breaches can be categorised according to three well-known information security principles:

  • Confidentiality breach: the unauthorised or accidental disclosure of, or access to, personal data;
  • Data availability breach: the accidental or unauthorised loss or destruction of personal data; and
  • Data integrity breach: the accidental or unauthorised modification of personal data.

Depending on the circumstances, a breach can concern data confidentiality, availability and integrity simultaneously, as well as any combination of the 3 principles.

National Commission for Data Protection website

Our Digital team is available to assist you with updating your RGPD procedures.