Personal data breaches can occur in both the public and private sectors, but it can be difficult to know how to deal with them. Here we look at what a data breach is, the types of data breaches you may encounter, what you and the data controller need to do, and what the Data Protection Agency does when a breach is reported.
What is a personal data breach?
In order to be sure that you need to notify a personal data breach, you also need to know what defines a personal data breach. A security breach is the release, storage or handling of personal data to which you have not consented.
This is personal data that you do not intend to share publicly, and that only the company or authority should hold. For example, if the company keeps the information for longer than agreed, or if they pass the information to a third party, this is a breach of the GDPR and your personal data security.
The GDPR becomes applicable from the moment your information is stored by a company. This can be information you provide if you buy a product from them, if you pay an invoice or something else entirely.
Types of personal data breaches
As mentioned, one type of data breach that has already been mentioned is storing personal data without your consent, exceeding the period of time personal data is stored, and sharing it. In addition, the following are some of the different types of personal data breaches:
- Persons not authorized to have your information gain access to your personal data. They can either access it themselves (e.g. by hacking) or the data controller shares it without your consent.
- Your data is changed or the personal data is accidentally deleted.
- There is a breach of the controller's server where personal data is leaked. These are, for example, social security records, credit card details, etc.
- The controller - knowingly or unknowingly - transfers personal data to a third party. This may be a customer who gains access to another customer's files.
- If the controller's files and records lack encryption of personal data - this may result in multiple unauthorised parties gaining access to personal information.
As a general rule, you should report all these types of personal data breaches if you are exposed to them.
According to the statistics on reported security breaches by the public and private sector, the majority of reports are based on the right information being sent to the wrong recipient. It is, therefore, important to double-check the recipient before sending and sharing sensitive data.
Secondly, the most frequent reason for reports is the publication of documents and personal data. There are fewer instances of reports of the wrong information being sent to the right recipient, letters being lost and insecure transmission.
Some of the cases that have been reported the least, and thus also have the fewest occurrences, are hacking, loss/theft of devices, social engineering, brute force/credential stuffing and ransomware. Thus, while hacking is not often reported, attention should still be paid to any leaked information during a hacking episode.
To put this in perspective, there were 8863 reported cases of the right information ending up with the wrong recipient, 426 reports of hacking and 93 ransomware attacks. All data is collected over a period between 2020 and 2022.
My information has been leaked, what do I do?
If you discover that your data has been leaked involving a personal data breach, the first step is to contact the data controller of the company that leaked your personal data or breached GDPR rules. By contacting them first, you can see if the damage can be limited or if they can withdraw the personal data themselves to avoid having to report the incident to the Data Protection Agency.
If you do not consider the company's handling adequate, you can therefore complain to the Data Protection Agency and report the incident to them. The data controller in your company is typically obliged to notify the personal data breach within 72 hours. So if it has already been reported, the DPA will not take any further action as it is already in their system and being processed.
What does the Data Protection Agency do with the reported personal data breaches?
If it has not been notified, you should contact the Data Protection Agency. They receive between 600-800 notifications per month, which means that the DPA screens cases and reports to check the importance of the reports. They assess the nature and scope of the incidents, the personal data involved and how the data controller has dealt with the personal data breach.
Typically, no further action is required by the DPA for a minor report. They will send a letter to the data controller recommending that it notifies those involved, if the controller has not already done so. In addition, the DPA will make recommendations for dealing with the specific situation faced by the public or private sector or authority.
If not all necessary information has been provided, the Data Protection Agency will ask additional questions and assess whether further action is necessary. If the level of breach is high enough, the DPA will in extreme cases report it to the police.
Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.