Personal data breaches
What is a personal data breach?
A personal data breach means an event leading to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data.
Examples of personal data breaches include
- lost data transfer devices, such as USB memory sticks
- stolen computers
- hacking
- malware infection
- cyber attacks
- fire in the data centre and
- mailing a bank statement to the wrong person.
A personal data breach can have consequences such as loss of control over personal data, identity theft or fraud, damage to reputation, or the reversal of pseudonymisation or loss of confidentiality of personal data.
Document all personal data breaches
Both the controller and processor of personal data must protect the data with security measures corresponding to the risk related to the processing of personal data. The controller must also prepare for possible personal data breaches by drawing up guidelines for the eventuality of personal data breaches and be able to react to personal data breaches as quickly as possible.
The controller must assess the level of risk caused by personal data breaches to the individuals concerned, for example:
- no risk
- risk or
- high risk.
The level of risk determines the measures required from the controller. Such measures can include
- documentation of the personal data breach
- notification to the supervisory authority and
- notification to the data subjects.
Document all personal data breaches, their effects and the remedial actions taken, regardless of the measures eventually required by the personal data breach. Neglect of the documentation obligations or notifications constitutes an infringement of the General Data Protection Regulation (GDPR) and may result in the sanctions specified therein.
If the personal data breach was targeted at an information system, the documentation obligation also includes the information system's log data from the time of the breach. The Data Protection Ombudsman may request the log data for the processing of the personal data breach notification.
Examples of personal data breaches and who to notify (pdf)
Notify the supervisory authority within 72 hours
If a personal data breach can cause a risk to the rights and freedoms of natural persons, the supervisory authority must be notified. In Finland, the Office of the Data Protection Ombudsman functions as the supervisory authority.
Personal data breaches must be reported to the Office of the Data Protection Ombudsman without undue delay and, where feasible, not later than 72 hours after the controller has become aware of the personal data breach. The processor shall first notify the controller of the personal data breach, unless it has been specifically agreed that the processor can notify the Office of the Data Protection Ombudsman directly of personal data breaches. However, the responsibility for making the notification remains with the controller.
The notification can be reported with an electronic form. The controller must deliver a justified explanation to the Office of the Data Protection Ombudsman if the notification was not made within 72 hours.
When should data subjects be notified of personal data breaches?
Data subjects must be notified of personal data breaches if they are likely to cause a high risk to their rights and freedoms. The controller shall then communicate the personal data breach to the data subject without undue delay, so that the data subject can take measures such as blocking their credit cards.
Provide the following information in the communication:
- a description of the nature of the personal data breach
- the name and contact details of the data protection officer or other contact point where more information can be obtained
- the likely consequences of the personal data breach and
- measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The communication will not be required if
- the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach (in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption)
- the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise or
- it would involve disproportionate effort, for example, if it is not known who the affected data subjects are. The matter shall be assessed in light of the risks. If the data subjects cannot be contacted personally, a public communication or similar measure whereby the data subjects are informed in an equally effective manner must be used.
If the controller has not already communicated the personal data breach to the data subject, the supervisory authority may require it to do so.
What should you take into account in the risk assessment?
The controller must assess the risk posed by the personal data breach to the persons concerned. The assessment will determine the measures required by the personal data breach.
The following matters must be taken into account in the assessment:
The consequences of, for example, sensitive data leaking to the internet can be very different to those of not being able to access your personal data due to an information system malfunction.
The more sensitive the data affected by the personal data breach, the greater the risk to the persons concerned. A combination of different data types on the data subject is frequently more sensitive than a single data item. When a personal data breach affects a large group, so will the consequences.
It is important to assess how easily the data subjects can be identified from the materials affected by the personal data breach, either directly or indirectly in combination with other data. Identifiability can be influenced by how well the data has been encrypted or pseudonymised, among other things.
Personal data breaches can have more serious consequences when they involve children or others in a vulnerable position.
The sector and role of the controller can have an impact on the severity of the risk caused by the personal data breach. For example, if the personal data breach occurs in the patient record system of a hospital, the threat to the data subjects will probably be greater than if it had taken place in a newspaper's subscriber register.
The consequences of a personal data breach can be considered particularly severe if it can result in identity theft, fraud, anxiety, humiliation or loss of reputation.
The party that gained access to the information can also affect the consequences that can be expected. The likelihood of misuse can be greater if it is known that the data fell into the hands of a criminal, for example.
When assessing the risk involved in a personal data breach, take the severity and probability of the possible consequences into account. The risk related to a personal data breach is the greater, the more severe and probable the consequences for individuals.
Read more:
- Data breach notification
- GDPR: articles 32‒34, recitals 83, 85–88 (EUR-Lex)
- EDPB: Guidelines on Examples regarding Personal Data Breach Notification (pdf)
- WP29: Guidelines on Personal Data Breach Notification under Regulation 2016/679 (pdf)
- The Digital and Population Data Services Agency's guide for organisations affected by a data breach or data leak on the Suomi.fi web service
- Guide on the National Cybersecurity Centre's website: Collecting and using log data