In Persepctive: New breach notification requirements

What happened

• The Irish Data Protection Commission (DPC) has produced a new webform for data controllers to complete when notifying the regulator of a data breach.
• This webform is divided into ten section and includes questions related to the timeline of the incident, details of the breach, the data subjects that are affected and the actions taken following detection of the breach (such as communication of the incident to relevant stakeholders).
• The new form will also require users to specify whether the notifying person or the Data Protection Officer is the designated contact person for the DPC in relation to the breach notification, in order to streamline future correspondence and follow-up queries.

Why it matters

• The GDPR introduced a duty on all organisations to report certain personal data breaches to the relevant data protection authority. This must be done within 72 hours of becoming aware of the breach.
• If the breach is likely to result in a ‘high risk’ of adversely affecting individuals’ rights and freedoms, the data controller must also inform those individuals without undue delay.
• The new webform produced by the Irish DPC will facilitate decision-making about whether or not businesses need to notify the relevant supervisory authority or the affected individuals, or both.

What happened

• The Luxembourg data protection authority recently fined an employer €5,300 for using a video camera surveillance system on its premises and tracking devices in some of its employees’ vehicles.
• This was considered a breach of the data minimisation principle as well as noncompliance of the ‘right to be informed’ under data protection law.
• The field of vision of an installed camera was found to include the staff dining hall, an area designed for private use by the employee.
• Employees were also not fully informed of the existence of a geolocation system within the vehicles they were operating.

Why it matters

• Recording employees at their workplace is considered a ‘high risk’ processing activity and employees would not usually expect this to be happening without their prior notice, especially in areas usually considered private such as dining rooms and toilets.
• The principle of data minimisation requires businesses to consider necessity and proportionality when processing personal data.
• This involves considering whether anonymous information can be used instead and deciding whether less privacy-intrusive ways of processing personal data are available.

What happened

• The Dutch data protection regulator has fined Transavia Airlines C.V. (TACV) for not putting in place appropriate technical and organisational measures to prevent a personal data breach involving sensitive information.
• In October 2019, an unauthorised third party gained access to personal data contained within TACV’s systems.
• Following a root-cause analysis initiated by the business, it was found that the third party was able to infiltrate TACV’s systems using a process called ‘credential stuffing’ whereby commonly used passwords are used in a short period of time to gain access to a system.
• The user account that was entered also had the highest privileges and access to other systems used by the business.

Why it matters

• Information security is a key component of data protection law and is referred to throughout the text of the GDPR.
• Businesses should consider a mix of technical and organisational measures (such as encryption and policies/procedures) to keep data secure.
• It is also sensible to have all controls suitably audited and inspected on an annual basis so that there is a level of external assurance that can give confidence to senior management.
• ISO 27001 is an international standard on how to manage information security that many businesses aim to receive certification in and should be considered by all organisations processing large quantities of personal data.