Guest post by Tomasz Wiese
Many businesses’ concerns with GDPR end with putting privacy policy on their website and maybe drafting a Data Processing Agreement. However, any institution that processes personal data must remember how to react when something goes wrong.
It is almost inevitable so-called data protection breach happens at some point in a company.
Such situation must be reported to the Data Protection Authority within 72 hours of the discovery of the breach.
Personal data protection – about the breach
A breach of personal data protection can consist of:
- disclosure of personal data to an unauthorized person (breach of data confidentiality);
Example:
Accessing personal data by an unauthorized person as a result of infecting the company’s IT system with malware.
- temporary or permanent loss or destruction of personal data (violation of data availability);
Example:
Loss or theft of media containing customer databases in the absence of a backup.
- changing the content of personal data in an unauthorized manner (violation of data integrity).
It is important to remember that a breach of personal data protection can occur at any time – not only during work, but also outside of the working hours, as well as during a vacation, sick leave or suspension of business operations.
Also, it can occur anywhere – on the premises of the company, its branch or production facility, but also at a client’s premises, while working remotely from home or co-working, during a workcation or business trip.
Examples of data protection violations
In addition, a data protection breach can take a variety of forms, including completely inconspicuous ones. Examples are:
- loss, destruction or theft of a business device (e.g., phone, laptop, flash drive) or business records,
- infection of a business device (computer, phone, etc.) with malware,
- attack or attempted hacking attack,
- burglary or attempted burglary of premises or rooms where business equipment or business records are stored,
- accidental sending of an e-mail message containing in its content or attachments the customer’s personal information to the wrong recipient, such as the wrong department of the company or a member of the public,
- throwing documents containing personal information into the public trash instead of destroying them with a shredder,
- phishing.
Often, the data administrator encounters difficulties at the first stage – that is, in assessing whether an incident is s data protection breach and requires reporting to the authorities.
In the case of a suspected breach, one should:
- try to record all relevant information related to the violation (e.g., time and place of the violation, its course, steps taken, etc.) and document the violation as thoroughly as possible (take notes, photos, video, recording, screenshots),
- secure access to the place where the violation occurred or refrain from working on the affected equipment,
- contact a data protection law professional as soon as possible.
The above steps should be taken even if there is doubt as to whether the incident is a breach, or lack of knowledge as to whether it involved personal data. Also, when the violation was a one-time, short-lived or has already ended, or the nature of the violation appears to be insignificant. This obligation must not be ignored even if similar incidents have already occurred in the past or the incident in question has been reported to other authorities (such as the police).
Concealing data breach incident from the DPA and the persons whose data has been breached can have serious consequences. Fines levied by the DPA can sometimes be painful, but the image damage may be irreparable.
JWMS Law Firm can support companies at every stage of the process: making a professional assessment of the incident, as well as, if necessary, preparing a notification to the DPA and conducting proceedings before the DPA.
Author: attorney-at-law Tomasz Wiese
