What’s the difference between a Security Incident and a Personal Data Breach? But were afraid to ask!

Definition of a Personal Data Breach

Definitions are from ICO and WP29 Guidance

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Article 4(12) :

“The consequence of such a breach is that the controller will be unable to ensure compliance with the principles relating to the processing of personal data as outlined in Article 5 of the GDPR” WP29

 “This highlights the difference…between a security incident and a personal data breach – in essence, whilst all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches.”

Types of Personal Data breach

The WP29 (now the EDPB) explains that breaches can be categorised according to the following three well-known information security principles:

• “Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or access to, personal data.
• “Availability breach” - where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
• “Integrity breach” - where there is an unauthorised or accidental alteration of personal data.

Is lack of Availability a Breach?

“the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.

"Therefore, an incident resulting in personal data being made unavailable for a period of time is a security breach (and should be documented), yet depending on the circumstances, it may or may not require notification to the supervisory authority and communication to affected individuals."

 If the lack of availability of personal data is likely to result in a risk to the rights and freedoms of natural persons, then the controller will need to notify. This will need to be assessed on a case-by-case basis.

 Another 72 Hours?

 “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay." Article 33(1).

Documentation of breaches

“The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action is taken. That documentation shall enable the supervisory authority to verify compliance with this Article”

Near Misses thy need to be documented!

“In addition to these details, WP29 recommends that the controller also document its reasoning for the decisions taken in response to a breach. In particular, if a breach is not notified, a justification for that decision should be documented. This should include reasons why the controller considers the breach is unlikely to result in a risk to the rights and freedoms of individuals. Alternatively, if the controller considers that any of the conditions in Article 34(3) are met, then it should be able to provide appropriate proof that this is the case”

Gap Analysis Security Incident vs PersonalData Breach 

#cybersecurity #informationsecurity #dataprotection #databreach #cloudsecurity #breach

So, if you're thinking about Breach Training get in touch, send me a message.

Thanks

David Clarke

• Author of the only online GCHQ/APMG certified Data Breach Course for GDPR
• https://apmg-international.com/product/gct/data-breaches-and-how-manage-them
• Follow me on Twitter @1davidclarke https://twitter.com/1DavidClarke
• Get The Latest on Data Protection Advantage https://paper.li/1DavidClarke/1477816063#/
• Connect with me on Linkedin https://www.linkedin.com/in/1davidclarke/ 
• Book a Telephone Call with me http://how2get.me/LetsTalk 
• Leave me a Voicemail https://www.speakpipe.com/DavidClarke 
• The Data Protection and Privacy Podcast https://www.buzzsprout.com/847885