Blog » DATA BREACH – NOTIFY OR NOT, THAT IS THE QUESTION
DATA BREACH – NOTIFY OR NOT, THAT IS THE QUESTION
09 April 2018
If data leakage, data theft or other breach happens at your company and it is likely to result in a risk to the data subjects’ rights, you have to report it to the supervisory authority. If this risk is likely to be high you shall as well inform the affected persons. In this article we mention 5 things that you need to consider when you decide about whether you should notify the authority or the data subjects.
1. The characteristics of your organization
When assessing the risk of a data breach it is worth to start with your own organization, particularly with your business activities and the personal data you hold.
Naturally, the risk of a data breach is not the same in the case of a producer company who engages in business to business transactions as in case of an e-shop who stores financial data of individuals.
To give another example imagine that due to a cyber-attack your data records are not available for several hours. If it prevents you from sending your weekly newsletter, probably the affected persons will not consider it as a tragedy. However, if you are a health service provider and you cannot access your patients’ medical records for hours, it may have serious consequences to them.
2. The type of the breach
The type of the particular data breach may affect how severe its consequences are. However, there are not exact ‘rules’ as we cannot declare for sure that a confidentiality breach when data is accessed by unauthorized persons is riskier than an availability breach when you cannot access your data.
For example, if you are a party organizer and your employee accidently deleted your VIP contact list, it may be a big trouble for you but probably not as big for your customers. However, if this VIP contact list is put to a public website I can imagine that your customers would be very upset as every journalist will know how to reach them.
On the other hand, if medical information has been accessed by unauthorized persons, it may have different consequences for the patient compared to an availability breach where the patient’s medical records have been irreversibly deleted.
3. The nature and sensitivity of the personal data
The key factor when assessing the risk is the type and sensitivity of the personal data that has been affected by the breach.
As a main rule the more sensitive the compromised personal data is (eg. fingerprints) the higher the risk of the data breach is. The disclosure of a name and an e-mail address is not likely to cause substantial damage under normal circumstances.
If the breach involves a combination of personal data, for example identity and financial details, it can have probably more serious consequences as if only a single data (eg. home address) is disclosed.
4. The severity of consequences for data subjects
The potential consequences of a data breach may be damage to reputation, humiliation or in more serious cases even fraud or identity theft.
The possible consequences may vary depending on the nature of the compromised data (eg. sensitive data) or in case of a confidentiality breach on the person of the recipient.
The incident is more serious if the personal data gets into the hands of hackers whose intentions are probably malicious. Of course, the accidental disclosure to an unauthorized recipient is also considered as a data breach, but if this recipient informs you and cooperates, harm to the data subject is less likely.
5. The number of affected data subjects
The number of the individuals affected by the data breach influences its level of the risk. Generally, the higher the number of the affected data subjects is, the more serious the data breach is.
You can imagine that the risk is not the same if one employee’s records have been sent to a wrong department as if your whole customer list including contact and financial details is accessed by an unauthorized person.
However, in certain cases a data breach can have a severe impact to even one data subject, for example if his extremely sensitive data (eg. sexual orientation) has been compromised.
To sum it up, when you are deciding about whether to notify the supervisory authority about the data breach, you should consider at least the above aspects. However, you have to bear in mind, that there is no golden rule, all cases must be examined individually.
ILF CONFERENCE IN MILAN – PRESENTATION - TAKEAWAYS FROM FIRST GDPR PENALTIES
This May we participated in the European Conference of International Law Firms in Milan, where our managing partner Richard Schmidt held a presentation to members of ILF on recent developments of European Data Protection Law. The presentation focused on the lessons learnt from the first GDPR fines imposed by the national data protection authorities of various European jurisdictions in the 1st year of GDPR.Read more »
CAN YOU PAY MORE FOR THE SAME WORK IN HUNGARY? - FRESH DECISION OF THE CURIA
Are you negotiating on salary with a new colleague in Hungary? Even if salary is subject to free negotiation, a higher salary for the same work can cause a tension in wage levels. In our short article we summarize the fresh decision of the Curia which can serve as a compass in relation with the applicability of the equal pay principle.Read more »
CONSTRUCTION TRUSTEESHIP IN HUNGARY – SCOPE AND GENERAL PROVISIONS
Collateral management is a key issue in every construction project. In Hungary a special regime, the so-called construction trusteeship protects the interest of the participants of major private construction projects, and secures that contractors and subcontractors receive their remuneration for the work performed.Read more »