How to handle a data breach: essential steps for your business

Brecha seguridad datos

We are not discovering anything new if we tell you that, nowadays and taking into account the omnipresence of technology, we are at a constant risk of being victims of a cyber-attack or that, simply because of an oversight, your company’s information can be lost or revealed to the wrong people (for example, if an employee of your organisation loses his professional laptop with your clients’ information on it). Well, from a data protection point of view, this is what is known as a security breach or security incident.

More specifically, the General Data Protection Regulation (‘GDPR’) defines a security breach as ‘any breach of security leading to the accidental or unlawful destruction, loss or alteration of, or unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed’.

Steps to be taken when a security breach is detected in the company.

What should we do from the moment we discover or suspect that there has been a security breach in the company? We tell you in 6 steps:

Step 1: Detection and identification of the incident

The detection of security breaches should be established as a continuous procedure, which should allow the identification of events involving security incidents (e.g. by means of an alert system in case of detection of abnormal behaviour in the company’s systems).

The security incident shall be classified into one of the following categories: (i) confidentiality incident (unauthorised disclosure of or access to personal data); (ii) integrity incident (unauthorised alteration of personal data); (iii) availability incident (accidental or unlawful destruction or loss of personal data).

Step 2: Gathering and analysing information related to the breach

It is essential to assess as accurately as possible the level of damage and danger that the incident may cause to the rights and freedoms of those affected.

Step 3: Drawing up a response plan

The response plan should provide for the immediate implementation of the first containment measures, trying to limit the damage caused by the incident as much as possible.

During this response phase, attempts will be made to contain the incident, after which the situation generated by the incident will be eradicated and appropriate recovery actions will be completed.

Step 4: Security breach notification to the competent authority

In the event that the security incident constitutes a risk to the rights and freedoms of the individuals concerned, the controller shall notify the competent supervisory authority within 72 hours of becoming aware of it.

At least one initial notification must be made within this period, and the undertaking may provide further information within 30 days of the initial notification.

In the event that the company acts as data processor, it must provide the data controller with all the information necessary to be able to comply with its obligations in due time and form. The processor may make the notification on behalf of the controller where this is stipulated in a contract or legal relationship.

Step 5: Communicating the breach to affected persons

Where the security incident is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall communicate the existence of the security breach to them without undue delay.

This communication shall be made in clear and plain language and shall include information on the nature of the incident and its consequences. The communication shall preferably and whenever possible be made directly to the data subject, either by telephone, e-mail or post, or by any other means deemed appropriate by the controller.

Step 6: Internal logging

The company shall internally record the security breach and document the above steps. Such documentation will allow the supervisory authority to verify the company’s compliance with the regulations.

Do you have any questions about how to handle a data breach in your company?

If you do not yet have a security breach management protocol in place in your company, or your team has not received the necessary training on data protection, Metricson’ s team of lawyers has extensive international experience and knowledge in the field.

If you would like more information about our services, you can send us a message to contacto@metricson.com or via our contact form on our website.

Article written by

Sara Hervías MetricsonSara Hervías

Attorney –  Privacy & IP

sara.hervias@metricson.com

About Metricson

With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.

If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!

Talk with us

958 558 442

Offices

Tuset, 19 - 2º, 3ª
08006 Barcelona
931 594 620

Javier Ferrero 10,
28002 Madrid

Paseo de Ruzafa 11, 6º, 12ª
46002 Valencia
960 500 761

Av. de la República Argentina, 25
41011 Sevilla

    Responsable: Metricson S.L.P.U.
    · Finalidad: Resolver tu petición o duda.
    · Legitimación:  Interés legítimo en responder cualquier cuestión planteada por ti.
    · Destinatarios: Prestadores de servicios tecnológicos, como encargados del tratamiento, que seguirán siempre nuestras instrucciones.
    · Derechos: Puedes acceder, rectificar, suprimir o solicitar la portabilidad de tus datos personales, así como oponerte o limitar el tratamiento de los mismos dirigiéndote a privacy@metricson.com.