Do I have to communicate a personal data security breach to data subjects? New “GDPR Communicate-Breach” tool

2020-10-30T10:50:00
Spain

The General Data Protection Regulation, along with the obligation to inform the authorities of a personal data security breach, requires each data controller to notify the data subject immediately when it is likely that the personal data security breach willl jeopardize their rights and freedoms.

October 30, 2020

The General Data Protection Regulation, along with the obligation to inform the authorities of a personal data security breach, requires each data controller to notify the data subject immediately when it is likely that the personal data security breach willl jeopardize their rights and freedoms.

In this regard, the Spanish Data Protection Agency (“AEPD”) has created the “GDPR Communicate-Breach” tool to assist data controllers in deciding whether to notify data subjects.

The user interface is intuitive, the data controller moves through successive screens and answers questions on the security breach that has taken place. In particular:

  • The starting point is the data controller’s sector of activity.
  • The AEPD then asks about the breach, the type of incident, its origin and whether it is the result of a “cyber incident.”
  • The tool then attempts to estimate the consequences of the security breach. Among other aspects, it looks at whether third parties have accessed the data, whether they have been destroyed, lost or altered, the degree to which the breach could affect the data subjects, whether the data are encrypted, and whether their availability has been recovered.
  • It also examines the type of data and data subjects affected, classifying them by number and by category (e.g., minors, vulnerable groups), when the breach occurred and when the data controller detected it.

Following this process, the tool can offer the data controller three different results: (i) they need to communicate the security breach to the data subjects; (ii) no communication is necessary; or (iii) it is not possible to determine the risk level.

In any case, the AEPD highlights that the tool seeks “to promote transparency and proactive responsibility among data controllers” and insists that it does not replace the risk level assessment by the data controller, as they have firsthand knowledge of the processing, the characteristics of the data subjects, the circumstances that led to the security breach, and all the factors related to the specific processing.

This tool is included in the “AEPD’s decalogue of assistance resourcesmade available to the public and containing the main guidelines and technological resources for data controllers and processors, data subjects and developers.

Authors: Alejandro Negro y Raúl Pérez

October 30, 2020