Guidance on what should be done to the company in case of breach of security of the data processed by it
First of all, once the data security breach has been identified, the company should assess whether this very breach could jeopardize the rights and freedoms of natural persons.
For example, such a risk is unlikely if the lost personal data are already publicly available and have been published and accessible by any interested person. Or, for example, if the personal data lost by the data controller had been encrypted, and the hacker does not have the key to decrypt this data. On the contrary, the risk to the rights and freedoms of natural persons is almost certain if the fact of the loss of data could mean that the natural persons may suffer personal injury, their identity could be stolen, tampered, the reputation of a natural person, protected professional secret could be harmed, or, for example, financial losses could be incurred, and so on.
If the data controller determines that there is a risk, the personal data security breach must be reported to the data protection authority. In Lithuania, it is the State Data Protection Inspectorate of the Republic of Lithuania. If the potential risk is high, the information about the incident will also have to be communicated to the affected data subjects, as described in more detail hereinbelow.
Secondly, it is particularly important that the data controller is required to act with urgency in the event of a security breach, since the incident must be notified to the competent authority without undue delay, but no later than within 72 hours of becoming aware of the security breach.
As a general rule, the data controller is deemed to have become aware of a breach of the data controller’s security from emergence of reasonable grounds to believe that a security breach has actually occurred, which in turn may have led to a breach of the data of natural persons.
Thirdly, the notification to the data protection authority must necessarily include a description of the nature of the personal data breach, including, where possible, the categories and approximate number of the data subjects concerned, as well as the relevant categories and the approximate number of personal data records, name and contact details of the data protection officer or other contact person capable to provide more information, the likely consequences of the personal data breach, measures taken or proposed by the data controller to eliminate personal data breach, including, where appropriate, measures for mitigation of its potential adverse consequences. Describing all these circumstances, the data controller may use a form approved by the State Data Protection Authority for notification of a breach of the security of data.
It should be noted that according to data protection requirements, if the information cannot be provided at the same time, the information may continue to be provided in stages without undue delay.
Fourthly, as already mentioned, if the breach of personal data security is likely to put at grave risk the rights and freedoms of a natural person, the controller must, in a simple and understandable language, inform the data subjects, as soon as possible, in co-operation with the supervisory authority and in accordance with instructions from that authority or other authorities, about the incident having occurred and include in the notification the nature of the personal data security breach and the other information provided to the supervisory authority, along with the recommendations to the individual concerned on how to minimize the potential adverse effects.
Fifth, the data controller must document the data security breach that occurred, including the facts relating to the personal data breach, its effects and the remedial actions taken.
It should be noted that compliance with this obligation is, among other things, important because the supervisory authority has the power to verify whether all necessary steps have been taken regarding the management of the data security breach and how that was made. In addition, the controller is required to show that the lessons were learned from the violation and the necessary steps have been taken to prevent such violations from happening again in the future.
Compliance with the sequence of the above steps in case of violation of data security is obligatory. Without them, the company violated its own, as the data controller, position, what would be regarded as an independent violation of the GDPR, which would mean more reputational and financial troubles, including the imposition of an additional fine or other sanctions, and probably a greater number of complaints from data subjects regarding unlawful processing of by their personal data.
Therefore, it is extremely important for each company to have clear and specific rules for the management of personal data security violations pre-determined and approved, to familiarize with them the persons responsible for safe handling of personal data at the company, to regularly train them so that everyone would be aware of what to do in the event of an incident so that both the data subjects and the company would suffer as little harm as possible.