Security breaches and the GDPR: what’s new
The management of security breaches is undoubtedly one of the most important new features of the GDPR. A year ago, we published a post where we explained what to do if they occurred in your company or startup, but the situation of this last year certainly requires an update of the content.
What to do in the event of a security breach?
The are three basic obligations in light of any security breach, according to the GDPR and as recommended in November 2019:
- Record and internally manage the security breach. This requires having an internal protocol so that security breaches are reported to the person responsible to record the steps that have been followed in order to minimise their impact. This last point is very important because companies do sometimes not have a real and effective capacity to prevent an attack or a security breach, but they have a say in deciding how they respond. This is a factor that the Spanish Data Protection Authority (“AEPD”) values highly if the breach ends up in penalty proceedings.
- Analyse whether the breach should be reported to the AEPD. This is one of the important new issues in the GDPR: the introduction of the obligation to report data breaches to the AEPD; the only exception is that this breach is unlikely to create risks to those affected (for example, if data was encrypted). In all other cases, reporting is mandatory within 72 hours after becoming aware of the incident. This is not just any old factor, because companies often become aware of the incident months after it has occurred.
- Analyse whether the breach should be reported to those affected. In the most serious cases (identity theft or breaches that might imply identity theft) reporting to those affected is required.
In relation to these last two important points, an important new issue must be added here, which is the recent publication by the AEPD of a questionnaire that enables you to decide whether reporting is required to the AEPD itself and to those affected. By answering a few brief questions, you are given guidelines on how to act.
Are there fees for not reporting security breaches?
In November 2019, there were still no penalties in Spain for not reporting security breaches. In July 2020, a €3,600 fine was published for failure to notify to the AEPD of a security breach.
The fine was €6,000, but it was reduced because the party responsible paid voluntarily. The specific case was a computer attack on a company through which the attackers obtained the personal data, such as email, of the company’s clients and sent them emails to obtain more information about them for fraudulent purposes.
These attacks are becoming more frequent.
Security breaches and COVID19?
This year 2020 will be sadly remembered for COVID19; among many other consequences, is the fact that companies have often entrusted their continuity to “new” digital providers and teleworking.
Both cases, regardless of their advantages, can be a source of “new” security breaches.
New providers and tools
As said, given the impossibility to perform most of tasks in person, companies have implemented new tools to continue working: video calls, digital document signature systems, contracts, etc.
These tools, for the most part, are managed by new suppliers for companies and if we put part of their production processes and the personal data that are handled in them “in their hands”, companies must be aware that breaches or incidents can happen.
That is why it is very important to ensure the breach reporting policy between suppliers and their clients so that they, in turn, meet the requirements of the GDPR.
Telework
The phenomenon of teleworking has experienced unprecedented growth in 2020.
With its undeniable advantages, teleworking is not without new risks: access to personal data from workers’ homes, with security measures not controlled by companies, is undoubtedly the greatest of them.
Any incident that occurs in these circumstances must be known and controlled by the company and treated as if it had occurred in the company itself.
Security breaches are one of the new challenges of the GDPR and how to manage them is undoubtedly a situation that companies must address efficiently and according to their structure and organisation.
If you need to review or implement your internal security breach management protocol, contact us.