Assessing the severity of personal data breaches according to GDPR

Case: personal data breach only involves non-sensitive categories of personal data but could conduct to a financial loss (unauthorized persons had access to name, surname, type of debit card first 4 digits of debit card and date of expiration of that card) - what score should I allocate, 1 or 2? More on that, some unauthorized persons took advantage of the system error and use debit cards belongs to others on our online platform. Of course, in a very short period of time we have compensated the affected people with money back.

Answer:

Recital 85 of the EU GDPR states that one of the purposes of notification is limiting damage to individuals. Accordingly, if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy), then it is important that the notification indicates these categories.

So , as you can see the key trigger requiring notification of a breach is when there is a likely risk to the rights and freedoms of individuals, and the key trigger requiring communication of a breach to data subjects is where it is likely to result in a high risk to the rights and freedoms of individuals. This risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss and damage to reputation.

To learn more about data breaches check out our “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//)