Data protection breaches according to GDPR
In the event of a data (protection) breach, unauthorised persons gain access to data. These breaches of data protection and security result in company secrets and/or individual-related data Unauthorized persons know about it. In a broader sense, a data breach also includes the unwanted deletion of data, i.e. its loss.
The data can get lost in the original, for example because data carriers or files have been lost, stolen or incorrectly disposed of, or in the form of a copy. Such breakdowns can occur, for example, through intrusion into a server or the distribution of inadvertently published data.
These leaks often have negative consequences for companies and, in the case of personal data, for the data subjects. Companies are threatened with economic disadvantages and damage to their image, while those affected can suffer great financial and personal damage as a result of breaches of data protection, including identity theft.
High number of unreported data breaches
As there are small and large leaks, it is not possible to estimate their number accurately. The number of unreported cases is likely to be high, as many companies want to avoid such incidents becoming known. In addition, companies are not obliged to submit a report to the supervisory authority for every data leak, but only if it involves risks for the person concerned.
A violation of personal data is deemed to have occurred after Article 4 No. 12 GDPR if this data has been lost, destroyed, altered or disclosed without authorisation. Since the GDPR came into force, there has been a more comprehensive obligation to report data breaches than was previously the case under the Federal Data Protection Act. The Article 33 and 34 regulate this reporting obligation. Now, any data breach that is likely to result in a risk for the person concerned must be reported to the supervisory authority within 72 hours. In addition, if there is a high risk to the personal rights and freedoms of data subjects in the event of a data breach, these individuals must also be notified. This is only possible under the conditions of the Article 34(3) GDPR not absolutely necessary. If you are a data processor, you are also subject to the documentation obligation for the incident.
How to report data breaches
The supervisory authority of the federal state in which the company has its registered office is responsible. While the notification to the authority must be made within 72 hours, the affected parties must be informed immediately. As a rule of thumb, the riskier the data breach, the faster the notification should be made. Its scope depends on whether it is addressed to authorities or data subjects. The GDPR does not prescribe a specific form for the notification, such as fax or letter. However, this is recommended for reasons of evidence. Before doing so, you should contact the supervisory authority by telephone in order to comply with the 72-hour deadline. You do not have to provide the data subject with comprehensive information about the data breach. However, make sure to write the information in a clear and understandable language!
If you do not report the mishap, the data protection authorities have a discretion in the sanctions they impose. They can leave it at a warning or even impose a fine. Under Article 83 paragraph 4a GDPR, fines of up to ten million euros or up to two percent of the worldwide turnover of the previous business year are possible. As the recent past has shown, the authorities actually enforce these fines.
How to reduce the risks
To reduce the dangers of data leakage, it is recommended to take "classic" security measures: choose complex passwords, install software updates regularly and, if possible, set up two-factor authentication.
In case of an obvious data outflow, one should immediately check whether the connections should be interrupted. If an employee is under suspicion, one should consider whether he or she should be suspended at least temporarily. This also applies to external parties.