Data Breach Flashcards Preview

CIPP/E > Data Breach > Flashcards

Flashcards in Data Breach Deck (16):

What is a personal data breach?

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed


What does destruction mean?

Where data no longer available dusts, or no longer exists in a form that is of any use to a data controller


What does damage mean?

Where personal data has been altered, corrupted, or is no longer complete.


What does loss mean?

Data may still exist but the controller has lost control or access to it, or no longer has it in its possession.


What does unauthorized disclosure mean?

Processing of data by recipients not authorized to receive or access the data


What are the types of data breaches?

- confidentiality breach - an unauthorized or accidental disclosure of, or access to, personal data
- integrity breach - an unauthorized or accidental alteration of data
- availability breach - an unauthorized or accidental loss of access


Joint controllers - who should notify a data breach?

A contractual arrangement should exist between joint controllers with a provision that determines which controller will take the lead on, or be responsible for, compliance with data breach notifications


Should a processor assess the likelihood of a risk arising from a breach before notifying the controller?

No - the processor just needs to establish whether a breach has occurred and the notify the controller.


In a cross-border breach or a breach at a non-EU establishment and a breach affects data subjects in more than one member state - who should be notified?

The supervisory authority of the main establishment or of the single establishment of the controller or processor


What are the conditions where notifications are not required?

Breaches that are unlikely to result in a risk to the rights and freedoms of natural persons


What should a controller (not established in the EU) do if a data breach occurs about an EU data subject?

The controller needs to have designated a representative in the EU and reports to the DPA in the member state.


If a securely encrypted device is lost does the data controller notify the DPA?

No if encryption key is not compromised and a backup is available.


How should a data controller communicate a data breach to an affected individual?

The controller should contact the individual directly, unless doing so would involve a disproportionate effort.


What is an effective way of communicating a breach to an individual?

Include several of the following: Email, SMS, direct message, prominent website banner or notification, postal communications and prominent advertisement in print media. A notification solely by a press release or corporate blog is not sufficient.


What are examples of circumstances where a risk may be considered unlikely in a data breach?

- personal data leaked are already publicly available
- personal data leaked are encrypted with a state-of-the-art algorithm
- there is a very temporary loss of access to personal data
- personal data are accidentally sent to third parties that can be trusted by virtue of their relationship with the data controller organization


What should the data breach notification contain?

- who impacted- categories of data subjects
- how many
- what type of data breaches
- contact name of DPO or rep
- likely consequences
- measures taken or to be taken