Not long ago, a breach that compromised the data of a few million people would have been big news. Now, breaches that affect hundreds of millions or even billions of people are far too common – Adobe, LinkedIn, Marriott International, etc. Few days ago, the Lithuanian company CityBee has reported the theft of its customer data, which has resulted in the theft of data such as customer names, surnames, personal identification numbers, and likely the disclosure of even more data such as phone numbers, residence addresses, and driver’s license number. In Lithuania, it is the first leak of data of this scale in the history of GDPR.
If the data breach occurs, the ECOVIS ProventusLaw Data Protection, Cyber, and IT Security, Operational Risk Team has developed prepared the following reminder how to act in case of a data breach:
- the procedure for determining and investigating personal data breaches has to be prepared. Such procedure shall be approved as well as all employees have to be familiar with it;
- to report certain personal data breaches to the relevant supervisory authority. It must be done within 72 hours of becoming aware of the breach, where feasible;
- if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, those individuals must be informed without undue delay (i. e. a loss of control over data subject’s personal data, the limitation of his rights, discrimination, theft or fraud of the identity of the data subject, damage to the reputation of the data subject, etc.);
- The afore-mentioned notification shall include at least the following information:
– description of the nature of the personal data breach including, where possible, the categories and approximate number of personal data subjects concerned and the categories and approximate number of personal data records concerned;
– description of the likely consequences of the personal data breach;
– description of the measures which the company takes and/or is planning to take to address the personal data breach and mitigate the possible adverse effects of the personal data breach;
– contact details of the contact person/data protection officer who may provide information of the personal data breach;
- the notification of the personal data breach to the data subject(s) shall state essentially the same information as information in the notification to the supervisory authority except for the cases where the nature of the personal data breach is described, where an indication of the respective categories of the data subjects, the number thereof, the categories of the entries of personal data, number thereof is not obligatory;
- the company/organization shall, in the notification to the data subject, provide recommendations, a list of measures and actions which could be assumed by the data subject so that, in cooperation with the company/organization (if necessary, with the supervisory authority), the infringement of the rights and freedoms of the data subject could be prevented and/or the damage arising out of such breach could be mitigated;
- the information indicated in the notification to the data subject shall be provided in a clear and intelligible manner;
- if, when giving notifications on the personal data breaches, it is impossible to provide information at the same time, the company/organization shall provide such information in phases, i.e. after the carried-out investigations, received new data, found out additional information but, in all cases, such information must be provided within a reasonable time;
- the company/organization shall be obliged to keep an internal register of personal data breaches of the company/organization in which entries of all personal data breaches, the impact thereof, actions and measures assumed with a view to addressing the breaches, the consequences thereof, and measures aimed at preventing possible new data breaches and adverse effects thereof would be made.
ECOVIS ProventusLaw can help you perform GDPR audits, IT / cybersecurity audits, provide consultations on other operational risks or data protection issues, prepare the necessary documentation.
Prepared by assistant attorney at law Milda Šlekytė