Financial Crime World

Data Breach Alert: Organizations Must Act Quickly to Mitigate Risks

When a suspected data breach occurs, organizations must act swiftly to investigate the incident and determine the extent of any potential damage to personal data. According to the European Union’s General Data Protection Regulation (GDPR), the initial assessment is left to the discretion of the data controller, but the competent supervisory authority will monitor the efficiency and adequacy of the actions taken.

Immediate Actions Within 24 Hours

To contain a data breach, organizations should take the following immediate steps:

  • Notify the Data Protection Officer or other responsible person within the organization and provide them with all available information about the incident.
  • Conduct an initial investigation to assess the potential risk to individuals’ rights and freedoms.
  • Implement technical and organizational measures to seize and mitigate the breach, such as:
    • Freezing affected devices
    • Isolating impacted systems
    • Changing passwords
    • Contacting system administrators

It is essential to document all steps and actions taken during the investigation and remedial process, as this information may be used by the supervisory authority to ensure compliance with GDPR regulations.

Notifications Within 72 Hours

If the initial assessment indicates a risk to individuals’ rights and freedoms, organizations must notify the competent lead supervisory authority within 72 hours of becoming aware of the breach. The notification should include:

  • Nature of the breach
  • Categories and approximate number of data subjects concerned
  • Name and contact details of the data protection officer or other contact point
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

Organizations may provide an initial notification with available information and follow up with additional details later.

Follow-up Actions

If the risk is deemed high, organizations must also notify affected individuals unless:

  • The organization has implemented appropriate technical and organizational measures to protect the data.
  • Subsequent measures have been taken to ensure the risk no longer materializes.
  • Notification would involve disproportionate efforts for the organization.

In addition, organizations should consider any other notification requirements under applicable legislation.

Consequences of Non-Compliance

Failure to comply with GDPR notification requirements can result in:

  • Administrative fines up to 10 million euros or 2% of global turnover
  • Exercise of supervisory authority’s investigative and corrective powers
  • Direct claims by affected individuals for damages suffered as a result of the breach
  • Reputational damage

The Bulgarian Commission for Personal Data Protection (CPDP) has exercised its investigative powers in several data breach cases, imposing corrective measures when necessary.

Takeaways

To mitigate the risks of data breaches, organizations should:

  • Reassess their internal security procedures
  • Identify weak spots in implemented technical and organizational security measures
  • Ensure the protection of commercial information and personal data is continuous

Continuous efforts to ensure the protection of commercial information and personal data are essential for businesses operating in the European Union.