Data Protection Reform and Security · • 3 personal data breach notifications concern incidents...
Transcript of Data Protection Reform and Security · • 3 personal data breach notifications concern incidents...
![Page 1: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/1.jpg)
‘MOSTLY HARMLESS’
DATA BREACH NOTIFICATION UNDER REGULATION (EU) 1725/2018
DPO Meeting, Frankfurt 17 May 2019
IT Policy, Xabier Lareo
![Page 2: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/2.jpg)
2 2DATA BREACH NOTIFICATION – STATE OF PLAY
• The EDPS received a total of 31 notifications from all sorts of EU
Institutions and bodies (EUI).
• 3 personal data breach notifications concern incidents where special
categories of data are involved (health data (2) and political
opinions(1)).
• 6 notifications were received after the 72 hours threshold. In one case
the processor delayed significantly to inform the processor in due
time.
• The controller decided to notify the data subjects in 10 cases.
![Page 3: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/3.jpg)
3 3TYPE OF DBN
22
9
0
5
10
15
20
25
Complete Notifications Notification in Phases
![Page 4: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/4.jpg)
4 4TYPE OF DBN
29
2 1
0
5
10
15
20
25
30
35
TYPE OF SECURITY INCIDENT
Confidentiality Availability Integrity
![Page 5: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/5.jpg)
5 5NUMBER OF DBN PER CONTROLLER SIZE
Big19%
Medium71%
Small10%
Big
Medium
Small
![Page 6: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/6.jpg)
6 6NUMBER OF AFFECTED DATA SUBJECTS
13
6
10
2
0
2
4
6
8
10
12
14
Less than 10 Between 10 and 99 Between 100 and999
More than 1000
![Page 7: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/7.jpg)
7 7ROOT CAUSE
Human Error78%
Technical Bug Functionality
19%
External Attacker3%
24
6
1
![Page 8: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/8.jpg)
8 8LESSONS TO BE LEARNED
• The risk of a human error causing a data breach can be avoided or
mitigated.
• The aim of providing data controllers 72 hours to notify is not to ‘solve’
the data breach.
• The data breaches distribution does not correlate with the size of the
institution. Data breach prevention is for all.
• Communication between data controllers and processors must be
agile. This requires both contractual and operational safeguards.
• Risk assessments of the impact on data subjects privacy must be
formal, objective and documented.
![Page 9: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/9.jpg)
9 9OBSERVED DIFFICULTIES
• Timely respond and notify the Supervisory Authority (within 72
hours)
Internal Communication problems delayed the process
Lack of decision on the incident
• Correct identification of a Personal Data Breach
• Notifications with assessment of no risk
• Notifications were risk are completely avoided
• Lack of training and awareness
• Assessment of Risk (different approaches observed) in line with
DPO skills
![Page 10: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/10.jpg)
10 10MEETING THE 72 DEADLINE
• The hours of a Saturday or Sunday count as much as the hours of aMonday.
• There is nothing wrong in using a phased notification.
• Personal data breaches are security incidents ► Incident response plan.
Who will do what
Who should be informed
How to get in contact with the external and internal stakeholders
Templates
Awareness raising exercises
• Adequate communication policy and channels with data processors.
• Do not hesitate to contact the EDPS if in doubt. We will help you.
![Page 11: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/11.jpg)
11 11RISK BASED APROACH: ASSESSING IMPACT OF A
BREACH
• Case by case basis : objective assessment
• Likelihood and impact to the rights and freedoms of the individuals by
taking into account for the processing
• Nature, Volume, Sensitivity, Context
• DPIA and its role to assessing a risk
• 12 Different Practical examples are provided into the EDPS Guidelines
with indications to NO Risk, Risk and High Risk
![Page 12: Data Protection Reform and Security · • 3 personal data breach notifications concern incidents where special categories of data are involved (health data (2) and political opinions(1)).](https://reader036.fdocuments.us/reader036/viewer/2022081615/5fd758e091817277f63ed040/html5/thumbnails/12.jpg)
12 12
THANK YOU!
For more information
www.edps.europa.eu
@EU_EDPS