What is a personal data breach under the GDPR?
A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Organizations have an obligation to report certain personal data breaches to the regulator and/or individuals affected by the breach in certain circumstances:
Organizations must notify the regulator/supervisory authority within 72 hours - if the breach causes any risk to the rights and freedoms of the data subject. Notify individuals without undue delay - if the breach causes a high risk to the rights and freedoms of data subjects.
What does all this mean? The European Data Protection Board has helpfully provided some examples:
Example 1: The lost flash drive!
An organization stored a backup of an archive of personal data encrypted on a USB key. The key is stolen! Here the company does not need to report to the regulator or individuals - because the data was encrypted so there's no risk to the rights and freedoms of data subjects; However, if the data becomes compromised, notification would be required - definitely to the regulator; and possibly to the data subjects.
Example 2: Ransomware attack!
An organization suffers a ransomware attack which results in all data being encrypted. No back-ups are available and the data cannot be restored. Here, if there is any potential consequence to the data subjects, the company would have to notify the regulator; and they would likely have to report to the data subjects too, depending on the consequences of loss of the data.
A purchase history? Maybe not. Health data? Definitely. (These are things to talk about with a privacy lawyer)
Make sure your preparation and compliance plans are up to speed to minimize the consequences of any data breach.