The number of personal data breach notifications is increasing - how to prevent and manage breaches?

The number of personal data breach notifications has increased in recent years, as the obligation for organisations to notify started with the application of the EU General Data Protection Regulation (GDPR) in May 2018. The GDPR obliges controllers to notify personal data breaches to the supervisory authority and, where necessary, also to data subjects, depending on the level of risk likely to be posed by the breach. Personal data breach notifications represent the largest single category of matters brought to the Office of the Data Protection Ombudsman. During 2022, their share of all initiated matters has risen to almost half. According to the Office of the Data Protection Ombudsman, by far the most common cause of personal data breaches is a careless error, when several things are carried out simultaneously and in a hurry.

A personal data breach is an event that involves the destruction, loss, alteration or unauthorized disclosure or access to personal data, occurred either by accident or as a result of an unlawful action. A personal data breach can be, for example, a lost data transfer device containing personal data, such as a USB flash drive, or a stolen computer, a data breach caused by a third party or an email containing personal data being sent to the wrong person.

A personal data breach may result in various forms of adverse impacts on the affected individuals and may cause material or non-material damage. Such consequences may be discrimination, identity theft, fraud, economic loss, damage to one’s reputation and that a person no longer controls the use of the own personal data.

It is crucial to react to personal data breaches as quickly as possible, so it is important for organisations to have clear procedures and guidelines for the eventuality of personal data breaches. Controllers and processors should therefore plan and implement in advance an annually updated process to be able to detect and promptly contain a breach and assess the risks to individuals.

A data protection impact assessment (DPIA), which is the responsibility of the controller, serves as a useful tool in preventing personal data breaches. It helps to assess and manage risks related to the processing of personal data and to identify which measures need to be taken to avoid threats.

It is essential to provide internal guidance and training within the organisation, and to regularly test systems with simulation exercises. The Office of the Data Protection Ombudsman pays attention to issues such as ensuring the up-to-date status of software, access management, and adequate monitoring and logging of data processing systems as part of the security of personal data processing.

Risk assessment

The processor shall notify the controller without undue delay after becoming aware of a suspected personal data breach. The controller and processor shall implement all appropriate security measures to immediately determine whether a personal data breach has actually occurred. The controller should act to contain the breach and at the same time, carry out a risk assessment of the likely consequences of the breach to the rights and freedoms of the data subject. When assessing the risk to individuals as a result of a breach, the controller should consider the specific circumstances of the breach, including the severity of the potential impact and the likelihood of this occurring. The assessment should take into account for example the following criteria:

• the nature, sensitivity, and volume of personal data,

• ease of identification of individuals,

• severity of consequences for individuals and special characteristics of the individual (e.g. children/other vulnerable individuals) and

• the number of affected individuals.

On the basis of the risk assessment, a decision must be taken as to whether the personal data breach should be notified to a supervisory authority or even to the data subjects.

Obligation to notify

When the controller becomes aware of a security breach, the breach must be notified without undue delay and, if possible, within 72 hours to the supervisory authority, which in Finland is the Office of the Data Protection Ombudsman. Notification to the authority may only be left undone if the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons. In addition, where the breach is likely to result in a high risk to the rights and freedoms of individuals, those individuals should also be informed of the breach without undue delay.

Defining when the above-mentioned notifications must be made in practice can be challenging. To make it easier to draw the line, the European Data Protection Board has provided practical examples in its Guidelines 01/2021 on examples regarding data breach notifications. In addition, an update (03/2022) of the Office of the Data Protection Ombudsman's guidance clarifies the practices for data breach notifications in the social and health services sector. In the social and health services sector, the threshold for reporting is lower – when a personal data breach involves health data, a high risk is likely to exist unless the controller proves that the risk has been reduced.

Documentation

Regardless of whether a personal data breach must be reported to a supervisory authority, the controller (and processor) must document all personal data breaches, as well as the impacts and remedial actions taken, including the log data from the time of the incident. The documentation must enable the supervisory authority to verify that the controller has fulfilled its obligations.

At Fondia, we assist our clients with personal data breach processes, for example by drafting guidelines and documents for reporting and providing case-specific consultation on individual breaches.