GDPR Data Breach Register

It's important to be prepared for a potential data breach. It doesn't matter what kind of high-level security measures you implement, there are lots of workarounds to get the data that people are aiming to get. It's similar to theft of fixed assets, whatever precautions you take if people really aim to get it, it's much harder to protect yourself. Whatever security measures you have in place, you are never 100% sure that you are safe from a data breach. This Data Breach Register provides a log and offers more information on how to adjust your existing policies or how to create new policies and procedures to process personal data.

How to Respond to a Data Breach?

Firstly, make sure to find out when the breach happened and who is involved. Stay calm and take the time to investigate the issue.
If you are prepared, you have a guideline on how to respond, and what to do before you continue the daily business operations.
Notify your customers and follow your applicable reporting laws. Call in your security and forensic experts to identify and fix the problem.

Examples of a data breach are:

• an unhappy employee copying a list of customers for their personal use;
• an unauthorized individual that was able to access your email account or network;
• stolen or lost USB drives, hard drives, or mobile devices;
• even an email with personal data to the wrong person;
• bulk emails with personal data to large groups of people;
  
• somebody was able to access an unlocked safe or storage.
  

Do I need to report a (personal) data breach? 

Data breaches must be reported if they “pose a risk to the rights and freedoms of natural living persons”. This is in general if the persons who are victim of the breach are facing economic or social damage (such as discrimination), reputational damage, or financial losses. Such a breach could in the end lead to an investigation from the regulator, resulting in potential enforcement action against your organization.

How long do you have to report a data breach according to GDPR?

If you are aware of a notifiable personal data breach, you have 72 hours to report it to the relevant supervisory authorities. 
This is applicable when an organization suspects that there may have been a loss of, unauthorized access to, or unauthorized disclosure of personal information.

Therefore, being prepared is essential. We provide you a GDPR Data Breach Template that you can use if such an event of breach occurs to your organization.

Download this GDPR Data Breach Register (article 33.5) now. Make sure to demonstrate your efforts in order to become compliant with the GDPR if your organization collects personal data directly from EU Citizens. Do a quick gap analysis and check out this overview of mandatory documents required by the GDPR or GDPR Document Kit.

How to protect and register personal data according to GDPR requirements? 

According to the EU GDPR, you are required to identify and minimize the data protection risks of your organization. The documentation of processing activities is a legal requirement under the EU GDPR, which also probably your organization needs to comply with. It's therefore highly important that you document your data processing activities and that you also support good data governance, and help you to demonstrate your compliance with other aspects of the GDPR. This Data Protection Impact Assessment (DPIA) Log registers those steps and lists all of the documentation, policies, and procedures you have. This way, if you keep track of those steps taken, it helps you to become GDPR compliant. This DPIA template is an example of how you can record your DPIA process and outcome. It contains two taps and follows a logical evaluation process. You should modify this Excel with your Criteria for an acceptable DPIA, as is set out in EU guidelines on DPIAs. 

A DPIA is a process to help you identify and minimize the data protection risks of a project. You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA. You should start to fill out the DPIA template at the start of any major project involving the use of personal data, or if you are making a significant change to an existing process. Final outcomes should be integrated back into your project plan.

It is also good practice to do a DPIA for any other major project which requires the processing of personal data. So, your DPIA must include at least:

• description and the nature, scope, context, and purposes of the processing;
• assess necessity, proportionality, and compliance measures;
• identify and assess risks to individuals;
• identify any additional measures to mitigate those risks;
• to assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. The high risk could result from either a high probability of some harm or a lower possibility of serious harm;
• you should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you;
  
• if you identify a high risk that you cannot mitigate, you ask for further assistance before starting the processing.

For more details, you may check out this: Data Protection Impact Assessment (DPIA) Log Register.

What is GDPR?

The EU General Data Protection Regulation came into place in 2018. The regulation, which replaces the 1995 Data Protection Directive, makes changes to the way data is handled and processed in the EU. It is a legal framework that sets the exact guidelines for the collection and processing of personal information from any individuals who live in the EU.

Why GDPR is important for companies outside the EU?

First of all, GDPR isn’t exclusively enforceable on EU-based companies. The regulation affects organizations both inside and outside of the European Union (EU). Any organization dealing with EU businesses, residents, or citizens’ data will have to comply with the GDPR! The regulations make it very clear that all organizations handling such data will be required to comply, regardless of location or jurisdiction.

Since the Regulation applies regardless of where the organization is based, you will also need to ensure your website is GDPR proof if that website attracts European visitors, even if you don't specifically market goods and/or services to EU citizens.

Articles 12, 13, and 14 of the GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible. If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so.

Note that the terms “privacy notice” and “privacy policy” do not actually appear in the text of the GDPR and are essentially interchangeable. The guidelines explained in this article apply to any public documents in which your organization describes its data processing activities to customers and the public.

If an organization is collecting information from an individual directly, it must include the following information in its privacy notice, such as the identity and contact details of the organization, its representative, and its Data Protection Officer (DPO). According to the GDPR, organizations must provide people with a privacy notice that is:

• In a concise, transparent, intelligible, and easily accessible form
• Written in clear and plain language, particularly for any information addressed specifically to a child
• Delivered in a timely manner
• Provided free of charge

The GDPR also stipulates what information an organization must share in a privacy notice. There is a slight variation in requirements depending on whether an organization collects its data directly from an individual or receives it as a third party. Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data.

Per Article 14(3), if you obtain personal data from a third party, you must communicate the above information to the data subject either: no later than one month after you have obtained the data, at the time you first communicate with the data subject, or before sharing the data with another organization.