What to do after a breach of data security?
It is possible when you process data that the confidentiality, integrity, or availability of data becomes limited, and as a result, that data gets lost, deleted, or changed, or disclosed or made accessible to unauthorized third parties. Ensure that there is a responsible person in the company for this type of situation and that processes are defined to find out how that third party gained access to the information. The entire case must be documented and the documentation saved, and the responsible person must in some cases report the breach of data security directly to the FDPIC.
When does a report have to be made?
Not every breach of data security needs to be reported. The basic rule is that only breaches that are likely to entail a high risk for the data subject or their basic rights must be reported. Whether such a situation exists must be assessed in every individual case. You can base your review on the matrix for data protection impact assessments (link). The goal is to determine the severity of the possible consequences and how likely it is that these will occur.
Who has to be informed?
- If a case needs to be reported, then the FDPIC must be notified about the events as soon as possible. There is no legal deadline. However, the report should be filed as soon as it is clear what kind of breach took place, the impact has been assessed, and measures have been planned.
- The affected persons must also be informed if such notification is imperative to their protection. This may be the case if they need to change a password, for example. You also have this obligation if the FDPIC requires notification.
The revised Data Protection Act (nFADP) does not provide for any criminal sanctions if the obligation to report to the FDPIC is not complied with. However, the situation is different if you fall under the scope of application of the EU General Data Protection Regulation (GDPR). We advise you to take these regulations seriously and to report any such breaches in good time.