Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
One of the most common mistakes, despite the GDPR’s implementation since 2018, is to consider only security breaches involving sensitive data as data breaches. This is often a fatal error , as it leads to underestimating the risks (or rather, dangers) to data subjects that can arise from any personal data breach, or even worse, to fail to assess them at all. This also exposes the organization to potential sanctions from the supervisory authority for failing to properly fulfill its data breach management obligations (including: detection, notification, and documentation).
Let’s be clear: a personal data breach is defined as follows in Article 4, paragraph 1, point 12, GDPR:
“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
and therefore leaves very little room for particularly creative interpretations or applications.
The only question that needs to be answered to understand whether a security breach involving a loss of confidentiality, integrity, and/or availability of personal data is a data breach is this: Did the breach involve personal data? If so, then it is a data breach.
Once this has been established, in order to correctly assess the risks to the interested parties, the sensitivity of the data affected by the breach must be taken into consideration.
Data sensitivity is, in fact, one of the criteria used to assess the risk of a breach and, consequently, determine whether the “not improbable risk” requirement set forth in Article 33, paragraph 1 of the GDPR exists, which requires the data controller to notify the supervisory authority within 72 hours. If a “high risk” exists, the breach must also be communicated to the affected data subjects without undue delay, as expressly provided for in Article 34, paragraph 1 of the GDPR.
Not only that, but the ability to respond to the incident and the mitigation measures implemented must also be tailored to the sensitivity of the compromised data, as this factor correlates with the risk to the rights and freedoms of data subjects.
But who must conduct the risk assessment? Simply put: the data controller , as the entity responsible for the general data breach management obligations. The data processor, on the other hand, is required to inform the controller without undue delay (Article 33, paragraph 2 of the GDPR) and to provide assistance “taking into account the nature of the processing and the information available,” according to the terms further specified in the service contract (Article 28, paragraph 3, letter f) of the GDPR).
In short, all measures that both the data controller and the data processor must adopt to ensure adequate incident management capacity must also be commensurate with the sensitivity of the data being processed. Otherwise, they will be held accountable for failing to ensure a level of security commensurate with the risk.
In addition to data sensitivity, assessing the risks arising from a data breach takes into account a series of factors, such as identification capability and context, to assess the likelihood and severity of consequences that could “cause physical, material, or non-material harm to natural persons ” (Recital 85). Documenting the incident in any case. Always. Even when the risks are unlikely.
Both because Article 33, paragraph 5 of the GDPR expressly requires it and because it represents the only way to monitor the consequences of the breach over time and, above all, to be able to draw insights for improvement in information security management.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
