In this article, we have summarized all that you need to know about data breach notifications.
What defines a data breach?
This may come as a surprise but not all data breaches require a data breach notification. Based on the guidelines set by the Data Protection Commission, the following are the PDPA breaches that require a notification (as lifted from DPC’s Quick Guide to Breach Notifications):
- An incident that causes accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
- ‘Personal data’ means any information concerning or relating to an identified or
- identifiable individual.
- A personal data breach is not only an incident involving loss of data, but may also include accidental exposure of data, deliberate acts to gain access to customer data, or encryption of data that renders it inaccessible.
- Personal data breach is a security incident that negatively impacts the confidentiality, integrity, or availability of personal data.
Moreover, there are instances that could qualify as data breaches under the GDPR:
- A customer database stored on a physical device has been lost or stolen
- Personal data has been encrypted by ransomware, or accidentally encrypted by its owner and the key was lost
- Data is deleted by accident, or by an unauthorized person
- Critical personal data is rendered unavailable by a cyber-attack, such as a Denial of Service (DoS) attack.
Who to report a data breach?
Data breaches are reported to the Data Protection Authorities (DPA). To determine which DPA you should report to, these are the factors to keep in mind:
- If you only operate in one European country or the data is collected, processed and used in one country, you only need to notify the local DPA in that country.
- If the data is transmitted between European countries, and you operate in one or more European countries, you should notify the DPA for the country in which decisions around the data are made. This is called the Leading Supervisory Authority (LSA). For example, if the compromised data was financial, and the company’s finance department is in the UK, even if the data was collected or processed in other European countries, the breach notification should be to the UK DPA.
- If you do not have a presence in the EU, you must report to the DPA in each European country you are active in.
Requirements of a data breach notification
So, what do you need to report in a data breach notification? Here is the required information that must be included in all data breach notification letters sent to specific DPAs.
- Nature of the breach.
In this part of the letter, you must clearly state how the breach incident happened, how many persons are involved, kind of data affected, which records and information were breached, lost and exposed.
- Contact information.
Pretty self-explanatory as the report must also include the contact details of the persons involved in the incident. This also includes the point of contact for data protection in the company or organization which can be the data protection officer, EU representative or etc.
- Consequences of the Breach.
This is where you explain the possible consequences of the breach. Include all the worst-case scenarios that you can think of- loss or exposure of data, identity theft, financial damages, and others.
- Measures that were taken.
Last but definitely not least, include in the letter the details of what you have done so far to contain the problem. This also includes your future plans to address the PDPA breach.