What is a data breach?
A data breach is any breach of security in which personal data has been lost, unlawfully altered, provided or viewed. Think of data files that are hacked or a laptop that is stolen. A sole threat or shortcoming in the security of personal data is not sufficient. In the event of a data breach, data is in any case lost or exposed to parties who are not entitled to the personal data (this is also referred to as 'unlawful processing'). Pursuant to the GDPR, an organisation is obliged to document all (possible) data leaks. Documentation takes place by including the (possible) data leak in a Register of Data Leaks. In addition, in certain cases there is an obligation to report to the Authority for Personal Data and the parties involved.
What is registered in the personal data breach register?
In a personal data breach register all information about a (suspected) data leak must be recorded. The register is part of your organisation's data protection management, as well as the processing register and the data protection impact assessments (DPIA). A personal data breach register must contain all information about a (suspected) data breach. At least the following information must be documented in the personal data breach register:
A description of the data breach;
- Date/place/time of the data breach;
- The consequence of the data breach (i.e.: the data that has been lost/copied/modified);
- To whom the leaked personal data belongs;
- The category of personal data that has leaked;
- The (possible) consequences of the data leak (e.g. risk of reputational damage/identity fraud); and
- The measures taken to limit the damage caused by the data breach.
Contact us
As described above, every organization is required to maintain a register of personal data breached. We at Legal Q have developed a workable and GDPR-compliant model for this. Please contact us for more information about this service or if you have any other questions about the AVG.