search Buscar

    What is a data breach: causes, effects and legal regulations on personal data breaches

    Who I am
    Judit Llordés

    Item Feedback:

    content warning

    Often in a more or less unconscious way we tend to authorize applications to access personal information, which is increasingly shared on social networks. The apps used do not always respect the strict parameters on the privacy, and too often the millions of personal data exposed to the public are really at risk.

    The same article 4 of the regulation European defines the breach of personal data as: "the breach of security that accidentally or unlawfully involves the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed".

    Therefore, it is not only considered a malicious event such as a cyber attack a data breach, but also an accidental event such as unauthorized access or theft of personal documents.

    What is a data breach? The definition

    By date breach means a security incident in which personal information is lost or accessed without authorization. In fact, it could happen that in some social networks, for example, the information of people, companies or organizations is made public without the consent of the users themselves.

    By definition, the data breach is not always associated with a cyber attack episode, but rather occurs due to the careless use of data by third-party apps.

    According to the provisions of articles 33 and 34 of GDPR the notification of personal data breach must take place as quickly as possible, but above all within 72 hours from the moment in which the personal data breach became known.

    And any delay must absolutely be rightly motivated.

    Articles 33 and 34 in the GDPR

    The new general regulation on data protection of the European Union in force for some years has introduced two new articles that allow you to follow specific indications for data breaches, in particular on the behavior to be followed by companies affected by this phenomenon.

    The regulation expands the concept of personal data breach, not only to include data expropriated as a result of a hacker attack, but also in the event of the destruction, loss, modification or even unauthorized disclosure of personal data.

    And it is precisely with regard to the reporting times of the data breach that article 33 was introduced, which provides for the general obligation for the data breach notification controller to report to the authorities.

    The competent DPA will provide online forms where all mandatory information must be entered, documents that will allow the supervisory authorities to be able to verify compliance with the regulations.

    In recent years, data breach cases have multiplied, making it necessary to normalize from a legal point of view to protect the privacy and not just of users. The latter release confidential information almost everywhere, on social networks, on registrations on sites and forums. Therefore, an intervention was necessary that would give more guarantees to Internet users by those who legislate.

    In the event of a data breach, the notification must describe the nature of the breach, including the categories and approximate number of data subjects, as well as indicating the name and contact details of the data protection officer.

    Also dwelling on the description of the probable consequences of personal data breaches, and of all the measures taken or that it is proposed to be taken by the owner to put a solution to the breach of private data.

    When a personal data breach occurs, and this involves a high risk for the rights and freedoms of individuals, the data controller must communicate it without undue delay.

    The communication is not required from the interested party if the data controller has implemented every valid measure and strategy aimed at protecting sensitive data, such as making them incomprehensible.

    But no communication is envisaged in the event that the data controller has taken all the necessary measures to avert a high risk of further damage to the freedoms and rights of the data subjects.

    Risk assessment

    To establish how to act in the face of a data breach, it is necessary to carry out a risk assessment, or the possible damage caused to the rights and freedoms of individuals, and precisely for the purpose of a careful assessment of the risk, reference parameters are used.

    The various parameters include the type of violation, or even the ease of identification of users, but also the severity of the consequences for the data subjects, particularities of the data subjects such as minors, or even the number of data subjects.

    There are several tools to be able to assess the risk of destruction or loss of personal data, all very reliable and valid, and which during the communication phase to the guarantor must be indicated as the methodology followed.

    It is possible to try to prevent, manage or resolve the loss or destruction of personal data by adopting a response protocol, trying to carry out periodic tests on the reliability of the security protocol adopted, relying on insurance coverage in the event of a data breach.

    In addition to having to keep records of all recorded data breach episodes, and carry out an investigation to identify the nature as well as the extent of the event.


    Further Reading:

    • Audacity Alternatives: Time to use a better audio editor
    • WhatsApp: Don't click a share button
    • Google account has been disabled, how to reset
    • How to add cool animated effects to your iMessages
    • What does System Restore mean?
    add a comment from What is a data breach: causes, effects and legal regulations on personal data breaches
    Comment sent successfully! We will review it in the next few hours.