Guest user Created: Sep 30, 2018 Last commented: Sep 30, 2018

Information security incident by ISO 27001 vs. personal data breach by GDPR

I am working on internal information security incident procedure and have some doubts concerning correct classification of the following event: Let's say we have found system vulnerability which can be used and lead to unauthorized access to personal data. Fortunately it's been found in advance and removed by IT unit. I believe such case should be classified as information security incident in accordance with ISO 27001. But what about personal data breach?&quest; I am almost sure that such event should not be classified as a breach in accordance with GDPR, since IT unit prevented possible attack by removing vulnerability as well as supervisory authority. should not be notified too

0 0

Assign topic to the user

Select user

Expert

Andrei Hanganu Sep 30, 2018

Answer:

If the vulnerability was not exploited to misuse personal data there is no data breach under the EU GDPR. The EU GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise process ed”

So if the data was not destroyed, lost, altered or transmitted, then it is just a security incident but not a data breach.

To learn more about data breach check out our free “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//).

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Sep 30, 2018

Expert Advice Community