Flashcards in Data Breach Deck (16):
What is a personal data breach?
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
What does destruction mean?
Where data no longer available dusts, or no longer exists in a form that is of any use to a data controller
What does damage mean?
Where personal data has been altered, corrupted, or is no longer complete.
What does loss mean?
Data may still exist but the controller has lost control or access to it, or no longer has it in its possession.
What does unauthorized disclosure mean?
Processing of data by recipients not authorized to receive or access the data
What are the types of data breaches?
- confidentiality breach - an unauthorized or accidental disclosure of, or access to, personal data
- integrity breach - an unauthorized or accidental alteration of data
- availability breach - an unauthorized or accidental loss of access
Joint controllers - who should notify a data breach?
A contractual arrangement should exist between joint controllers with a provision that determines which controller will take the lead on, or be responsible for, compliance with data breach notifications
Should a processor assess the likelihood of a risk arising from a breach before notifying the controller?
No - the processor just needs to establish whether a breach has occurred and the notify the controller.
In a cross-border breach or a breach at a non-EU establishment and a breach affects data subjects in more than one member state - who should be notified?
The supervisory authority of the main establishment or of the single establishment of the controller or processor
What are the conditions where notifications are not required?
Breaches that are unlikely to result in a risk to the rights and freedoms of natural persons
What should a controller (not established in the EU) do if a data breach occurs about an EU data subject?
The controller needs to have designated a representative in the EU and reports to the DPA in the member state.
If a securely encrypted device is lost does the data controller notify the DPA?
No if encryption key is not compromised and a backup is available.
How should a data controller communicate a data breach to an affected individual?
The controller should contact the individual directly, unless doing so would involve a disproportionate effort.
What is an effective way of communicating a breach to an individual?
Include several of the following: Email, SMS, direct message, prominent website banner or notification, postal communications and prominent advertisement in print media. A notification solely by a press release or corporate blog is not sufficient.
What are examples of circumstances where a risk may be considered unlikely in a data breach?
- personal data leaked are already publicly available
- personal data leaked are encrypted with a state-of-the-art algorithm
- there is a very temporary loss of access to personal data
- personal data are accidentally sent to third parties that can be trusted by virtue of their relationship with the data controller organization