SOS Data Breach – What to do?

Any irregularity in the processing of personal data may constitute a data breach or a data protection incident. The action to be taken will depend on the individual case. You should not hesitate to report this to the responsible supervisory authority, especially as it can even help to save your image.
Data protection violations must be reported under the GDPR in cases where there is a risk to the “rights and freedoms of natural persons”. Detailed information can be found in the short paper No. 18 of the Lower Saxony Authority (available only in German). Here is a brief summary for you:

First ask yourself the following questions:

  • Have third parties obtained unauthorized access to or insight into personal data?
  • Have service devices, hardware or documents been lost or stolen?
  • Has personal data been processed unlawfully or for the wrong purposes?
  • Was personal data accidentally deleted, destroyed or damaged?

If you can answer one of the above questions with YES, check whether the data concerned can be classified as follows:

  • Is this so-called “risk data”? = Special types of data, such as health data, ethnic origin, sexual life or religious beliefs, see Art. 9 GDPR?
  • Is this data subject to professional discretion?
  • Is it payment or credit card data?
  • is it data relating to administrative offences or criminal offences?
  • is it data that offers the possibility of identity theft, damage to reputation or profiling based on personal aspects?

If you can also answer YES to one of the previous questions, then there is a high probability that this is a reportable incident. There is no reason to panic – but please contact your data protection officer as soon as possible. 

In the case of a reportable incident, the responsible data protection authority must be informed within 72 hours. To ensure that a well-founded assessment of the situation can take place and that you do not lose valuable time, these 5 questions should be answered directly at the first contact with your DPO:

  • WHEN did the incident occur and when was it discovered (data, time, timeframe)?
  • WHAT data is affected (list)=
  • HOW MANY records/ USER are affected?
  • WHERE did the incident happen (to you or to your service provider?
  • HOW did the data breach occur (e.g. technical error; force majeure such as lightning strike; hacker attack; malware;…)?

A report to the authorities does not put your company in a bad light or put you on the “shooting list ” of the authorities. With a report you fulfil your legal obligations and avoid a violation of the Data Protection Law. Errors and accidents happen everywhere, it is only important to deal with them correctly and not to sweep them under the carpet. In addition, you reduce the risk of a public faux pas and damage to reputation in the event that a data subject makes the data protection incident public.
You may also be required to notify the data subjects. However, this obligation is not subject to the 72-hour period. Rather, you should coordinate both the notification and the correct procedure in a timely manner with your data protection officer and, under certain circumstances, with the supervisory authority.