Blog » DATA BREACH – NOTIFY OR NOT, THAT IS THE QUESTION
DATA BREACH – NOTIFY OR NOT, THAT IS THE QUESTION
09 April 2018
If data leakage, data theft or other breach happens at your company and it is likely to result in a risk to the data subjects’ rights, you have to report it to the supervisory authority. If this risk is likely to be high you shall as well inform the affected persons. In this article we mention 5 things that you need to consider when you decide about whether you should notify the authority or the data subjects.
1. The characteristics of your organization
When assessing the risk of a data breach it is worth to start with your own organization, particularly with your business activities and the personal data you hold.
Naturally, the risk of a data breach is not the same in the case of a producer company who engages in business to business transactions as in case of an e-shop who stores financial data of individuals.
To give another example imagine that due to a cyber-attack your data records are not available for several hours. If it prevents you from sending your weekly newsletter, probably the affected persons will not consider it as a tragedy. However, if you are a health service provider and you cannot access your patients’ medical records for hours, it may have serious consequences to them.
2. The type of the breach
The type of the particular data breach may affect how severe its consequences are. However, there are not exact ‘rules’ as we cannot declare for sure that a confidentiality breach when data is accessed by unauthorized persons is riskier than an availability breach when you cannot access your data.
For example, if you are a party organizer and your employee accidently deleted your VIP contact list, it may be a big trouble for you but probably not as big for your customers. However, if this VIP contact list is put to a public website I can imagine that your customers would be very upset as every journalist will know how to reach them.
On the other hand, if medical information has been accessed by unauthorized persons, it may have different consequences for the patient compared to an availability breach where the patient’s medical records have been irreversibly deleted.
3. The nature and sensitivity of the personal data
The key factor when assessing the risk is the type and sensitivity of the personal data that has been affected by the breach.
As a main rule the more sensitive the compromised personal data is (eg. fingerprints) the higher the risk of the data breach is. The disclosure of a name and an e-mail address is not likely to cause substantial damage under normal circumstances.
If the breach involves a combination of personal data, for example identity and financial details, it can have probably more serious consequences as if only a single data (eg. home address) is disclosed.
4. The severity of consequences for data subjects
The potential consequences of a data breach may be damage to reputation, humiliation or in more serious cases even fraud or identity theft.
The possible consequences may vary depending on the nature of the compromised data (eg. sensitive data) or in case of a confidentiality breach on the person of the recipient.
The incident is more serious if the personal data gets into the hands of hackers whose intentions are probably malicious. Of course, the accidental disclosure to an unauthorized recipient is also considered as a data breach, but if this recipient informs you and cooperates, harm to the data subject is less likely.
5. The number of affected data subjects
The number of the individuals affected by the data breach influences its level of the risk. Generally, the higher the number of the affected data subjects is, the more serious the data breach is.
You can imagine that the risk is not the same if one employee’s records have been sent to a wrong department as if your whole customer list including contact and financial details is accessed by an unauthorized person.
However, in certain cases a data breach can have a severe impact to even one data subject, for example if his extremely sensitive data (eg. sexual orientation) has been compromised.
To sum it up, when you are deciding about whether to notify the supervisory authority about the data breach, you should consider at least the above aspects. However, you have to bear in mind, that there is no golden rule, all cases must be examined individually.
ONLINE CONSUMER CONTRACTS – IS YOUR BUSINESS CONCERNED?
Black Friday is once again around us: the time when online shops and the consumer protection authority cash in some extra income every year. We guess you’ve already read about the extreme discounts and the record-breaking fines by the authorities, so in our article, we will explain, that without your knowledge, your own business can easily step into the field of consumer protection, in which case, your contracts are subject to special rules. In our article, we show you how you can recognize these situations and, of course, summarize the obligations.Read more »
HOW TO TRANSFER PERSONAL DATA TO NON-EEA COUNTRIES? - NEW EDPB RECOMMENDATION
Since in the middle of summer 2020, the Court of Justice of the EU (CJEU) invalidated the Privacy Shield and put into question the applicability of the standard contractual clauses, we were wating for guidance from the European Data Protection Board (EDPR) how to transfer personal data to non-EEA countries in a GDPR-compliant way. Finally, the EDPB broke the silence and provided a 6-step guide which we summarize in this short article.Read more »
THE SUPREME COURT RULED – FLEXIBLE WORKING TIME CAN ONLY BE ORDERED IN WRITING IN HUNGARY
It is often the case that the employer does not clearly regulate the employment relationship of the employees, which later leads to an employment lawsuit. This happened in the case before the Hungarian Supreme Court, where a legal dispute arose in connection with the employee's work schedule, the stake is the payment of several million forints of overtime work compensation to the employee. In our short article, we analyze the Supreme Court’s decision and draw conclusions on how the employer can avoid similar situations.Read more »