What to do if my startup has a personal data breach or leak? Compliance guide under the GDPR

What Does a Data Breach or Leak Mean According to the GDPR?

According to the GDPR, a data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. In other words, such a situation occurs when people’s data has been compromised or obtained illegally. In such cases, it is necessary to report a personal data breach.

Breach also occurs when there is an incidental event involving the disclosure of sensitive, protected, or confidential data, that contains personal data.

What Are the Types of Personal Data Breach?

According to the GDPR, we distinguish three types of data breaches:

• Breach of Confidentiality: Unauthorized or accidental disclosure of or access to personal data.
• Integrity Breach: Unauthorized or accidental alteration of personal data.
• Breach of Availability: Accidental or unauthorized loss of access to or destruction of personal data.

Granular understanding these types of data breaches can help in preventing such events.

When Is There a Legal Obligation to Report a Personal Data Breach?

Under Article 33 of the GDPR, a personal data breach requires organizations to notify the Data Protection Authority (DPA) of the breach within 72 hours and, in some cases, the individuals whose data has been compromised. Here are the factors to consider when deciding which DPA to notify:

1. If your organization operates in the EU Member State, or the data is collected, processed, and used in one country, notify the local DPA in that particular country.
2. If your company transfers data across countries in the EU and operates in one of those countries, notify the Leading Supervisory Authority (LSA) in the country where the decisions about the data are made.
3. If your company doesn’t have a presence in the EU, notify the DPA in every country where you are active.

In most cases, you can fill out the notification form online. Here you can find all the DPAs in the EU.

When Do You Not Have to Report a Personal Data Breach?

Article 33(1) of the GDPR states that breaches that are “unlikely to result in a risk of violation of the rights and freedoms of individuals” do not require notification to the supervisory authority.

Such a situation may arise if the data was previously available to the public and there is no risk of data breach.

An important element of the assessment is the element of risk, which should be evaluated in any case of data breach. On this basis, an organization can determine whether there is a need to report a data breach.

What Do You Need to Include in Your Data Breach Notification?

In accordance with Article 33 of the GDPR, the notification of a personal data breach should at least include:

1. The nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
2. The name and contact details of the data protection officer or other contact point where more information can be obtained.
3. An explanation of the consequences of the breach.
4. A description of the measures taken or proposed to be taken by the controller.

Conclusion

Managing a personal data breach under the GDPR is a critical responsibility for startups. Understanding the definitions of data breaches and leaks is essential, as is recognizing the legal obligations that arise from such incidents. According to Article 33 of the GDPR, organizations must promptly notify the appropriate Data Protection Authority (DPA) within 72 hours of a breach, and potentially inform affected individuals.

The notification must include detailed information about the breach, including its nature, the affected data subjects, the contact information of relevant personnel, the consequences, and the measures taken to address the breach. By adhering to these requirements, startups can ensure compliance with GDPR regulations and maintain the trust of their customers.

For more detailed guidance on data breach management and other regulatory requirements, consider consulting with our expert team. Contact us today to ensure your startup is fully compliant and prepared for any data protection challenges.