Zum Inhalt Zum Hauptmenü


The clock is ticking after a data breach

der Standard
1. Mai 2018

Even the most secure IT system cannot completely prevent data breaches. For this data protection worst-case scenario, the General Data Protection Regulation (GDPR), which will be applicable from 25 May, provides for a strict procedure including reporting and notification obligations. This represents a significant tightening of the legal situation to date. In order to comply with these new rules within the very short legal deadlines, companies must proactively prepare for the data emergency.

Any violation of the security of personal data leading to the destruction, loss, alteration, unauthorized disclosure or unauthorized access to data must be reported. A data breach is e.g. a loss or theft of laptops or business phones with personal data, leaving a USB stick on the underground, but also a hacker attack or an infection of a computer system with ransomware.

In the event of a data breach, the data protection authority must be notified within 72 hours of the incident becoming known, in addition to taking immediate measures such as blocking the device or disconnecting it from the internet. The clock is ticking at the latest with actual knowledge of the data breach. However, even in the event of mere suspicion, internal investigations must be initiated immediately for clarification. In this case, the 72-hour period runs as soon as the data breach has been identified with "sufficient certainty".

Detailed notification

The notification to the data protection authority must be very detailed and cover the following minimum content:

  • Description of the data breach including details of the data subjects and data types affected;
  • Contact details for questions from the data protection authority;
  • Description of the likely consequences of the data breach;
  • Description of countermeasures to remedy or mitigate the effects.

In practice, this extensive information can only be reimbursed within the short term if the company has an up-to-date record of processing activities and has carried out any impact assessments in advance. The most important information to be reported to the authority in the event of an incident has already been processed there.

If the data breach results in an "expected high risk" for data subjects, they must also be informed "immediately" and directly - e.g. if the data subject is threatened with material or immaterial damage as a result of the data breach, such as exposure, identity theft, fraud, financial damage or damage to reputation. Particularly when the data breach concerns sensitive data, notification of data subjects is indispensable.

If the company is unsure whether direct information of the data subjects is necessary, it can request an assessment from the data protection authority. However, the latter may also proactively impose such a notification.

Further violation

Failure to report data protection violations constitutes a - further - data protection violation and is subject to a strict punitive regime. At the same time, however, a report made in good time has a mitigating effect but is not exempting the company from punishment if the data breach is due to a GDPR violation - for example because an inadequate security system was used or data processing activities were generally inadmissible