Personal data breaches
What is a personal data breach?
A personal data breach means an event leading to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data.
Examples of personal data breaches include
- lost data transfer devices, such as USB memory sticks
- stolen computers
- malware infection
- cyber attacks
- fire in the data centre and
- mailing a bank statement to the wrong person.
A personal data breach can have consequences such as loss of control over personal data, identity theft or fraud, damage to reputation, or the reversal of pseudonymisation or loss of confidentiality of personal data.
Document all personal data breaches
Both the controller and processor of personal data must protect the data with security measures corresponding to the risk related to the processing of personal data. The controller must also prepare for possible personal data breaches by drawing up guidelines for the eventuality of personal data breaches and be able to react to personal data breaches as quickly as possible.
The controller must assess the level of risk caused by personal data breaches to the individuals concerned, for example:
- no risk
- risk or
- high risk.
The level of risk determines the measures required from the controller. Such measures can include
- documentation of the personal data breach
- notification to the supervisory authority and
- notification to the data subjects.
Document all personal data breaches, their effects and the remedial actions taken, regardless of the measures eventually required by the personal data breach. Neglect of the documentation obligations or notifications constitutes an infringement of the General Data Protection Regulation (GDPR) and may result in the sanctions specified therein.
If the personal data breach was targeted at an information system, the documentation obligation also includes the information system's log data from the time of the breach. The Data Protection Ombudsman may request the log data for the processing of the personal data breach notification.
Notify the supervisory authority within 72 hours
If a personal data breach can cause a risk to the rights and freedoms of natural persons, the supervisory authority must be notified. In Finland, the Office of the Data Protection Ombudsman functions as the supervisory authority.
Personal data breaches must be reported to the Office of the Data Protection Ombudsman without undue delay and, where feasible, not later than 72 hours after the controller has become aware of the personal data breach. The processor shall first notify the controller of the personal data breach, unless it has been specifically agreed that the controller can notify the Office of the Data Protection Ombudsman directly of personal data breaches. However, the responsibility for making the notification remains with the controller.
The notification can be reported with an electronic form. The controller must deliver a justified explanation to the Office of the Data Protection Ombudsman if the notification was not made within 72 hours.
When should data subjects be notified of personal data breaches?
Data subjects must be notified of personal data breaches if they are likely to cause a high risk to their rights and freedoms. The controller shall then communicate the personal data breach to the data subject without undue delay, so that the data subject can take measures such as blocking their credit cards.
Provide the following information in the communication:
- a description of the nature of the personal data breach
- the name and contact details of the data protection officer or other contact point where more information can be obtained
- the likely consequences of the personal data breach and
- measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The communication will not be required if
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach (in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption)
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise or
- it would involve disproportionate effort, for example, if it is not known who the affected data subjects are. The matter shall be assessed in light of the risks. If the data subjects cannot be contacted personally, a public communication or similar measure whereby the data subjects are informed in an equally effective manner must be used.
If the controller has not already communicated the personal data breach to the data subject, the supervisory authority may require it to do so.
What should you take into account in the risk assessment?
The controller must assess the risk posed by the personal data breach to the persons concerned. The assessment will determine the measures required by the personal data breach.
The following matters must be taken into account in the assessment:
- Data breach notification
- GDPR: articles 32‒34, recitals 83, 85–88 (EUR-Lex)
- EDPB: Guidelines on Examples regarding Personal Data Breach Notification (pdf)
- WP29: Guidelines on Personal Data Breach Notification under Regulation 2016/679 (pdf)
- The Digital and Population Data Services Agency's guide for organisations affected by a data breach or data leak on the Suomi.fi web service
- Guide on the National Cybersecurity Centre's website: Collecting and using log data