With the deadline for GDPR compliance looming, Léon’s focus was on personal data breaches and the breach notification and sanctions regime.
In the context of breaches, Léon’s advice was: “Be prepared!”
“The Article 29 Working Party’s Guidance on Personal Data Breaches makes it clear that a lack of preparation for a breach risks doubling down on the sanctions that might be applied in respect of that breach. Indeed, they make it clear that “failure to notify a breach could reveal either an absence of existing security measures or an inadequacy of the existing security measures” and that they are two separate infringements.”
Léon also highlighted that a personal data breach did not require an associated security incident:
“If there has been any loss of confidentiality, availability or integrity of personal data, then there has been a personal data breach, regardless of the cause, and that has to be notified to the supervisory authority (unless it is unlikely to result in a risk to the rights and freedoms of the individual), as well as notified to the data subjects if there is a high risk to their rights and freedoms.”
Finally, Léon reiterated the need to document personal data breaches, even those that do not require notification:
“GDPR, as well as good practice, dictates that when something goes wrong it must be documented, and that the documentation process is used to facilitate a root cause analysis and subsequent process for resolution. If something goes wrong, but is not properly rectified to avoid future failure, the sanction risk to the organisation rises proportionately”.0