Data Protection Consultation at KINAST
Data Breach Management
Data breach management describes the process which involves the reaction to, the handling of and the identification of information as well as the notification and implementation of measures involving a data protection incident.
What is Data Breach Management and why it is important?
Data breach and data incident are often used synonymously. However, the terms basically refer to different levels of severity. While every incident is a data incident, not every incident is a data breach. Data breaches are incidents that entail a risk for the data subject concerned.
As data protection incidents can happen in any area of business, the internal process of handling such incidents should be known by all employees – how to identify such a data protection incident, who to turn to when it happens, and which departments should be involved in the handling of such an incident.
Necessary measures when managing a data breach
In terms of data protection, data breach management also includes notifying the responsible supervisory authority and the data subjects affected, if, after a case-by-case assessment, it is determined that risks are likely to occur and considered to be high for the rights of the data subjects. In general, this requires quick action, as the deadline to notify the supervisory authority from the moment of being aware of the incident is 72 hours. If this deadline is not met, there is a risk for fines by the supervisory authority.
Do you need an External Data Protection Officer?
Five steps to compliance:
Introduction of your company and KINAST as well as the relevant contact persons. Discussion of the current data protection setup and most important data protection topics.
We conduct data protection audit on-site or based on questionnaires to evaluate the current data protection status of your company.
Document the current data protection status and define further required actions if necessary.
We carry out all necessary measures identified during the data protection audit.
Designation as External data protection officer and on-going consultation starting from day 1.
What is considered a data protection 'incident'?
A data protection incident can appear in many forms, inter alia, the following:
- Loss of tangible assets (laptop, phone),
- Sending personal data to the wrong recipient (e.g., via e-mail, or on the phone, etc.),
- Accidental destruction of personal data (e.g., through a fire in a work building, deletion of files, etc.),
- Processing of personal data without purpose or legal basis (e.g., taking pictures without the necessary consent, etc.),
- Accidental access by unauthorized third parties (e.g., cyber attacks, phishing e-mails, wrong recipient of specific access rights, etc.).
Incident category levels
An incident which has high to very high risks for the rights of the data subjects and it is very likely to happen.
An incident which has medium risks for the rights of the data subjects and it is likely to happen.
An incident which has very low risks for the rights of the data subjects and it is unlikely to happen.
Do you have a data breach incident? Time is of the essence.
How do we guarantee your data protection compliance in your international company or corporation?
If required, we can act as your External Data Protection Officer. To guarantee a timely and cost effective execution of necessary data protection measurements, we’ve developed our own concept based on a three-point plan:
As a first step, we carry out a risk assessment in your company. We carry out the risk assessment either on-site or remotely. Based on the findings, we prepare a report that documents the degree of compliance with data protection standards. Furthermore, the report identifies any vulnerabilities, proposes suitable measures to remedy those vulnerabilities, defines responsibilities and sets a timetable for the implementation of these measures.
In a next step, we implement any measures which we identified within the framework of the risk assessment. Whereby great importance is attached to binding your internal resources as little as possible.
Finally, as an External DPO, we permanently support your company regarding all aspects of data protection. Therefore, we ensure an ongoing compliance with legal standards, the adaptation of procedures to the requirements of new laws and the consideration of current changes in internal processes.
Leading the legal field of data breach mangement
As one of Germany’s leading lawfirms in the field of data protection, we can support you in making sure that your data breach management process is compliant with the GDPR and local data protection law as well as aligned with your internal processes. Whether by drafting a process for and with you, providing the necessary documentation templates or giving you advice on how to implement it, we adjust to your needs and are driven to ensure your process holds up in the event of an incident.
We align with your business
Our role in your data breach management
Our support does not start and end with the definition (or implementation) of a process. In alignment with you, we offer our support as being part of the data incident management process. As such, we define with you at what point in the process we are involved to review and ensure that all relevant aspects regarding the documentation and notification are legally compliant and minimize the risks.
Whether in our role as Data Protection Officer or consultant, we involve ourselves at the beginning of the process and focus on aligning with your business and your team in order to ensure the necessary steps are taken within the applicable deadlines.
You can count on us to provide the legal advice and assessment necessary in the event of a data protection incident and identify the next steps to take, giving your business and your team more time to focus on identifying the source, taking counter measures and gathering the information necessary during an incident.
No more need to worry about handling a data breach incident
There are many stress points when an incident occurs. Handling the situation according to legal requirements. Spending precious time assessing the level of the breach. Assessing whether a notification to the supervisory authority is necessary or not. These are worries that our legal team will take off your hands.
With our support, incidents can be adressed quicker and more effectively, while your team can focus on implementing measures to mitigate the incident.
Data Breach Management and international data protection consultation at KINAST
Urgent help or long term data breach assistance
A data breach can come suddenly and unexpectedly. Whether you need help right now, or what to plan ahead for such eventualities, our experienced lawyers and data protection officers are here to help. We specialise soley in data protection and we’ve been advising international groups and corporations since before GDPR laws came into effect.
So why not contact us today for a free, no obligation consultation?
Send this page to a colleague?
Frequently asked questions
A data breach can be a troubling time. We understand that there will be a lot of worry and time is of the essence. Below, we’ve answered some of the most frequently asked questions when clients approach us with a data incident. If you have more specific or specialist questions, feel free to contact us, and one of our Lawyers or Data Protection Officers will get back to you as soon as possible.
A notification requirement is to be assessed on a case-by-case basis, and depends on the severity or risk status of the incident as well as the likelyhood of this risk to affect the data subjects. We are happy to conduct such an assessment for you, if we receive the information regarding the incident. Reaction time is really very important, so if you’re already asking this question we strongly suggest that you contact us as quickly as possible.
While supervisory authorities can fine controllers for not fulfilling their obligations under the GDPR and therefore being responsible for the data protection incident, it is important to note that supervisory authorities have more options. Before giving fines, supervisory authorities first assess the situation and, depending on the specific case, may first impose measures on a case-by-case basis to be taken by the controller to prevent such incidents from happening again. Should the controller not comply with the implementation of these measures in the given time frame, then supervisory authorities usully start to consider fines.
There are a lot of different preventive measures that can be taken in order to ensure incidents do not repeat themselves. While most measures have to be defined for the specific incident, some measures can be taken which help prevent a lot of lower risk incidents. Such measures include implementing appropriate technical and organizational measures according to Art. 32 GDPR for all areas of your business, as well as offering regular training for employees to sensitize them to handle personal data according to the legal requirements as well as raise awareness on data protection incidents that can happen easily, such as sending personal data to a wrong recipient, phishing e-mails, etc.
According to Art. 34 GDPR, data subjects have to be notified if the risk for their rights and freedoms caused by the incident is high and likely to happen. These risks would have to be identified on a case-by-case basis, however the threshold also depends on the amount and type of personal data that was impacted. For example, it is more likely you will have to notify the data subjects if an external third party gained unauthorized access to some of your personal data than if one of your employees had unauthorized access to some of your personal data.
In general, this depends on the fact if the cause was internal or external and if it was intentional or accidental. If the cause was internal and accidental, contractual safeguards and mandatory training may be a way to handle the situation. If it was intentional, labour law steps should be considered
If the cause was external, the main issue would be to identify the cause. If such is possible, there may be civil claims to raise in case of accidental causes, or even criminal claims in case of intentional ones.