Personal data breaches
What is a personal data breach?
A personal data breach means an event leading to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data.
Examples of personal data breaches include
- lost data transfer devices, such as USB memory sticks
- stolen computers
- hacking
- malware infection
- cyber attacks
- fire in the data centre and
- mailing a bank statement to the wrong person.
A personal data breach can have consequences such as loss of control over personal data, identity theft or fraud, damage to reputation, or the reversal of pseudonymisation or loss of confidentiality of personal data.
Document all personal data breaches
Both the controller and processor of personal data must protect the data with security measures corresponding to the risk related to the processing of personal data. The controller must also prepare for possible personal data breaches by drawing up guidelines for the eventuality of personal data breaches and be able to react to personal data breaches as quickly as possible.
The controller must assess the level of risk caused by personal data breaches to the individuals concerned, for example:
- no risk
- risk or
- high risk.
The level of risk determines the measures required from the controller. Such measures can include
- documentation of the personal data breach
- notification to the supervisory authority and
- notification to the data subjects.
Document all personal data breaches, their effects and the remedial actions taken, regardless of the measures eventually required by the personal data breach. Neglect of the documentation obligations or notifications constitutes an infringement of the General Data Protection Regulation (GDPR) and may result in the sanctions specified therein.
If the personal data breach was targeted at an information system, the documentation obligation also includes the information system's log data from the time of the breach. The Data Protection Ombudsman may request the log data for the processing of the personal data breach notification.
What should you take into account in the risk assessment?
The controller must assess the risk posed by the personal data breach to the persons concerned. The assessment will determine the measures required by the personal data breach.
The following matters must be taken into account in the assessment:
The consequences of, for example, sensitive data leaking to the internet can be very different to those of not being able to access your personal data due to an information system malfunction.
The more sensitive the data affected by the personal data breach, the greater the risk to the persons concerned. A combination of different data types on the data subject is frequently more sensitive than a single data item. When a personal data breach affects a large group, so will the consequences.
It is important to assess how easily the data subjects can be identified from the materials affected by the personal data breach, either directly or indirectly in combination with other data. Identifiability can be influenced by how well the data has been encrypted or pseudonymised, among other things.
Personal data breaches can have more serious consequences when they involve children or others in a vulnerable position.
The sector and role of the controller can have an impact on the severity of the risk caused by the personal data breach. For example, if the personal data breach occurs in the patient record system of a hospital, the threat to the data subjects will probably be greater than if it had taken place in a newspaper's subscriber register.
The consequences of a personal data breach can be considered particularly severe if it can result in identity theft, fraud, anxiety, humiliation or loss of reputation.
The party that gained access to the information can also affect the consequences that can be expected. The likelihood of misuse can be greater if it is known that the data fell into the hands of a criminal, for example.
When assessing the risk involved in a personal data breach, take the severity and probability of the possible consequences into account. The risk related to a personal data breach is the greater, the more severe and probable the consequences for individuals.
Notify the Office of the Data Protection Ombudsman
If a personal data breach can cause a risk to the rights and freedoms of natural persons, the supervisory authority must be notified. In Finland, the Office of the Data Protection Ombudsman functions as the supervisory authority.
Personal data breaches must be reported to the Office of the Data Protection Ombudsman without undue delay and, where feasible, not later than 72 hours after the controller has become aware of the personal data breach. The processor shall first notify the controller of the personal data breach, unless it has been specifically agreed that the processor can notify the Office of the Data Protection Ombudsman directly of personal data breaches. However, the responsibility for making the notification remains with the controller.
The notification can be reported with an electronic form.
Address at least the following issues in your notification
In the notification, the controller must provide a detailed assessment of the severity of the personal data breach's possible impact on the data subject. The purpose is to specifically assess the severity of the impact to the data subject instead of the consequences to the controller.
If the controller states on the Office of the Data Protection Ombudsman's notification form that the severity of the possible impact to the data subject is Significant or Maximal, it means that, as a rule, the controller must notify the data subject of the incident without undue delay and enter Yes or No, but they will be informed under "Communication to data subjects" on the form.
It is the controller's duty to assess the severity of the potential impact of the data breach. If the controller has assessed the severity of the impact to the data subject incorrectly, the supervisory authority will ultimately decide, based on the information provided by the controller, whether the threshold for notifying the data subjects is crossed.
The Office of the Data Protection Ombudsman can order the controller to notify the data subjects if the notification threshold is crossed and the controller has not notified the affected data subjects of the personal data breach on its own initiative.
The Office of the Data Protection Ombudsman's data breach notification form contains three notification types: Complete notification, Preliminary notification and Complementary notification.
A complete notification is filed if the controller is aware of the details of the data breach. Some details may still be unclear when filing the notification, but it is clear to the controller based on the facts uncovered that the incident involves a personal data breach that meets the criteria for notifying the supervisory authority.
The preliminary notification is intended to give controllers the opportunity to report observations of potential personal data breaches when the details are still scarce or unclear. If a controller files a preliminary notification, it must complement the notification on its own initiative when it obtains more information about the incident.
Filing a complementary notification on your own initiative simplifies and expedites the processing of the matter by the supervisory authority and decreases the need for the supervisory authority to contact the controller.
If the controller states in the personal data breach notification that it is still investigating some details of the incident, it must remember to file a complementary notification on its own initiative once it has obtained the required further information.
The personal data breach notification should be filed without undue delay even if the details of the event are not fully clear yet. The supervisory authority must be notified of the data breach within the time limit.
If a controller detects a personal data breach that the supervisory authority must be notified of, the controller must carry out this notification without undue delay and, where feasible, within 72 hours. If the notification is not made within 72 hours, the controller must provide a justified explanation for the delay to the Office of the Data Protection Ombudsman.
Examples of personal data breaches and who to notify (pdf)
When should data subjects be notified of personal data breaches?
Data subjects must be notified of personal data breaches if they are likely to cause a high risk to their rights and freedoms. The controller shall then communicate the personal data breach to the data subject without undue delay, so that the data subject can take measures such as blocking their credit cards.
Provide the following information in the communication:
- a description of the nature of the personal data breach
- the name and contact details of the data protection officer or other contact point where more information can be obtained
- the likely consequences of the personal data breach and
- measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The communication will not be required if
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach (in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption)
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise or
- it would involve disproportionate effort, for example, if it is not known who the affected data subjects are. The matter shall be assessed in light of the risks. If the data subjects cannot be contacted personally, a public communication or similar measure whereby the data subjects are informed in an equally effective manner must be used.
If the controller has not already communicated the personal data breach to the data subject, the supervisory authority may require it to do so.
Measures taken by the controller after the detection of a personal data breach may eliminate the high risk caused by the breach to the data subject, at least going forward from the implementation of the measures. When assessing the severity of the potential impact, the controller must consider whether the personal data breach has nevertheless constituted such a high-risk situation before measures were initiated that the measures taken after the detection of the personal data breach have not been able to remedy it.
Even if the high risk is considered to have been eliminated by the measures taken after the detection of the personal data breach, the data subject may still have incurred a high risk from the incident before the measures were taken. In such cases, the data subject must, as a rule, be notified of the personal data breach.
Read more:
- Data breach notification
- GDPR: articles 32‒34, recitals 83, 85–88 (EUR-Lex)
- EDPB: Guidelines on Examples regarding Personal Data Breach Notification (pdf)
- WP29: Guidelines on Personal Data Breach Notification under Regulation 2016/679 (pdf)
- The Digital and Population Data Services Agency's guide for organisations affected by a data breach or data leak on the Suomi.fi web service
- Guide on the National Cybersecurity Centre's website: Collecting and using log data