In 2022, the theme of data breach, or the violation of personal data, and many other issues related to the privacy of web users. Last, but not least, the news that the Privacy Guarantor has prohibited the use of Google Analytics in Italy.
Given the strong prominence that this topic has aroused, in this article we will go to see what a data breach and how to behave when it is a victim. So that our customers are prepared in the event that this happens to them.
What does data breach mean?
With the term data breach a security breach is understood "which involves - accidentally or illegally - the destruction, loss, modification, unauthorized disclosure or access to personal data, transmitted, stored or otherwise processed."1
In other words, who is the victim of data breach risks seeing confidentiality and even accessibility to their data compromised. Examples include data capture by unauthorized third parties, data theft, and the inability to access data due to external attacks and malware.
What to do in the event of a data breach?
The legislation that regulates violations of personal data currently in force is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
According to the document, the subject who suffered a data breach, whether it is a public entity, a company, an association or a professional, must notify the damage suffered within 72 hours from the moment in which he became aware of the fact. Here, however, a first distinction must be made.
A possible data breach, in fact, it must always be registered, but it must be notified to the Privacy Guarantor only if it involves an effective risk for the rights and freedoms of individuals. In any case, however, it is necessary to notify the data controller, or the person whose data were kept that have been compromised.
In the event that you decide to notify, the Guarantor requires some information:
- the nature of the breach;
- the number of people affected;
- the contact details of the data protection officer;
- what are the potential consequences of the breach;
- what measures the data controllers have taken.
This is useful information to verify any liability and to ascertain the dynamics of events and it is important to provide it, even at a later time. Who suffers a data breach, in fact, it must prove accountability.
Accountability
This English term translates literally responsibility, but it conveys a slightly different meaning from how we normally understand it. The most correct translation, used mainly in the legal field, would be “to be able to give an account”.
The data manager must therefore be able to provide evidence that demonstrates that he has acted correctly and that he is able to manage the situation. In essence, it is necessary to demonstrate that all the minimum measures necessary for data protection have been implemented, based on the risk that would arise from a possible data breach.
In practice, the principle of accountability is based on three concepts:
- there transparency: the company must allow access to all the information in its possession;
- there possibility to demonstrate the actions carried out: so that it can be verified that all necessary safety measures have been taken;
- there compliance: the ability to enforce internal laws and regulations within the company.
What violations must be reported?
As mentioned, not all violations of personal data must necessarily be notified to the Guarantor. Only i data breach which may have repercussions on individuals, through physical, material or immaterial damage.
However, this is a situation that needs to be analyzed carefully before deciding not to notify. During the verification, the Guarantor will in fact want to know the reasons for this choice and demonstrate that the data breach in question is not subject to notification is not a simple thing. To demonstrate accountability, it is therefore important to follow the procedure for handling personal data breaches as much as possible.
What happens next?
In case you realize you have suffered a data breach, the Privacy Guarantor has made available a form to be filled out (at this address https://servizi.gpdp.it/databreach/s/) and send electronically.
Once the notification is received, the authority checks what has happened and assesses whether there have been any irregularities and responsibilities on the part of the company. The financial penalties provided for are very high and can reach up to 10 million euros or, in the case of companies, up to 2% of their total turnover.
For those wishing to learn more, guidelines are also available on the same site regarding the notification of personal data breaches and some related examples. Here are the links: