Managing data breaches properly

Don't wake the dogs or reporting sets free?


The danger of cyber risks is constantly increasing. In addition to the threat to IT security, IT security incidents are always relevant in terms of data protection law. Read here how to react correctly and what preparations you can make in the event of an emergency.

What is a data breach?

According to Art. 33 (1) GDPR, a data breach is "a personal data breach", i.e. an incident that violates the security of personal data so that unauthorised persons can access it. Classic cases are

  • Accidentally sending the wrong emails or having too large an open mailing list
  • Access to IT systems as a result of hacking or phishing attacks
  • Theft or loss of data carriers, laptops, etc.
  • Security gaps in IT systems
  • Hidden but not deleted information in Excel documents

What needs to be considered for data breaches?

The top priority with data breaches is to quickly identify and eliminate the cause in order to minimise or eliminate the consequences for data subjects and prevent the data breach from spreading.

If the data breach results in risks to the rights and freedoms of the data subjects or if this cannot be ruled out, the data breach must be reported to the competent supervisory authority immediately and, if possible, within 72 hours. This happens relatively frequently.

If the data breach is also likely to result in a high risk to the rights and freedoms of the data subjects, the data subjects must also be informed immediately. This happens, but is less common than reporting to the competent supervisory authority.

Measures for internal detection and reporting

In order to be able to react appropriately to a data breach, it is particularly important that data breaches are quickly recognised internally and reported internally immediately. This requires that all employees know what a data breach is, to whom it must be reported internally and how it should be reported. It makes sense to create an instruction, guideline or similar document that describes the process. However, this process must also be communicated to employees so that they are aware of it and can follow it. The motto for this is: train, train, train.

Internal treatment - countermeasures and decision on the report

After the internal report, people should immediately come together and take action who can take technical countermeasures, evaluate the process and decide on further (legal) steps. The composition of the data breach team is made up of several or the following stakeholders:

  • IT department
  • IT securityInformation securit
  • Cyyber insurance
  • Data protection officer
  • Legal department
  • External legal and IT and IT security consultants
  • senior management

The first priority of the data breach team should always be to take countermeasures, then clarify the extent of the incident and then decide on the next steps. Further steps are usually

  • Deciding whether to notify the relevant data protection authority (mandatory for all companies if the requirements are met)
  • Decision to report to the BSI (mandatory for KRITIS companies, voluntary for other companies)
  • Decision on whether to file a criminal complaint with the cybercrime unit of the competent state criminal investigation office (not mandatory)
  • Decision on informing the data subjects
  • Implementation of the measures

Notification of data breaches to data protection authorities

If there is an obligation to report under Art. 33 GDPR, the report should be submitted within 72 hours of the incident being discovered. To be on the safe side, the first internal knowledge should be used to calculate the deadline. A later notification is possible and, in case of doubt, still makes sense after 72 hours; however, reasons must then generally be given as to why the 72-hour deadline was not met.

Art. 33 GDPR does not provide for a special form of notification. However, the supervisory authorities have online notification forms for this purpose and it is advisable to use these because the supervisory authorities receive the notification in a form that enables it to be processed quickly and, ideally, dealt with. This must be the aim of the notification.

Information of data subjects

Pursuant to Art. 34 (1) GDPR, data subjects must be informed if there is a high risk to the rights and freedoms of the data subjects. In this case, the data subjects must be informed about the incident in clear, simple language. The information should contain at least this information

  • Description of the nature of the personal data breach
  • where possible, the categories and approximate number of data subjects and data involved
  • the name and contact details of the data protection officer or other contact point for further information
  • Description of the likely consequences
  • Description of the countermeasures taken or proposed

There are exceptions where personal information does not have to be provided. However, these should be treated with caution.

  • You have taken appropriate technical and organisational security measures to prevent access to the data, in particular through encryption.
  • You have taken measures to ensure that, in all probability, the risk to the rights and freedoms of the data subjects no longer exists.
  • Notification would involve a disproportionate effort. In this case, a public announcement or similar measure must be made instead, through which data subjects are informed in a comparably effective manner.

Does reporting make you free and what are the consequences of failing to report?

The question of whether to report an incident is often discussed intensively in the data breach team. The concern that management, legal department and IT controllers in particular often have is that they could bring the data protection supervisory authority and thus many problems into the company or possibly provoke conditions and sanctions. Attempts are then often made to minimise the incident or the consequences in order to avoid a report.

These concerns are generally unfounded. Section 43 (4) BDSG contains a prohibition on the utilisation of evidence for the contents of the report, which we believe is observed by the data protection authorities despite criticism of the provision under European law. In this respect, the following applies: What is reported cannot be used against the controller.

In addition, the reactions of the data protection authorities to reports are generally much more harmless than is often feared. You often receive an acknowledgement of receipt, occasionally queries, and also occasionally the notification that the process has been checked and finalised. It is possible that a report will be followed by a supervisory process, but this is rather rare in relation to the number of reports submitted.