Assessing the severity of personal data breach

Answer:

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It is potentially very broad. It is not limited to loss of data and extends to unauthorised access or alteration. However, it only captures actual breaches and not suspected breaches.

We have developed a whitepaper to help you to efficiently assess the severity of a personal data breach, and determine a course of action. This informative white paper offers a simple methodology, so you can:

- Reliably determine the severity of a personal data breach
- Determine the necessary mitigation measures
- Understand whom to notify, in line with GDPR requir ements

You can find the whitepaper here : https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr

2. Does the DPA and/or the data subject(s) need to be informed of the breach in all cases where it can cause a high degree of risk to the data subject regardless of the quantity of data subjects affected?

Answer:

If there is a risk to the rights and freedoms of natural persons the SA needs to be notified in maximum of 72 hours. However if the risk is ranked as high the data subjects need to be informed without undue delay. So you can see it is up to the controller to rank the risk to determine who needs to be notified. In practice, if the risk is high, both the SA and the data subjects need to be informed.
The risk is not only related to the quantity of data but also to the quality, data breaches involving sensitive personal data or data relating to criminal convictions would trigger the need to notify the SA and data subjects event if the number of records is low.