Expert Advice Community

Guest

Question regarding Data Breach Response Team

  Quote
Guest
Guest user Created:   Feb 23, 2022 Last commented:   Mar 04, 2022

Question regarding Data Breach Response Team

I have a question regarding the "Data Breach Response Team". Should the DPO be a part of that team or is it sufficient to be a part of the process itself (by working in close collaboration with the Team) without being part of the Team that investigates the breach? What is Advisera's recommendation on this issue?
0 0

Assign topic to the user

EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Tudor Galos Feb 25, 2022

In Article 38 in GDPR – Position of the data protection officer – paragraph 1 clearly states: “The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”. This means that the DPO must be part of the Data Breach Response Team. The DPO is responsible for communication of the data breach investigation results to the supervisory authority and to data subjects if it is the case.

Please check these links for more details:

Tudor Galos
Quote
0 1
Guest
Guest user Mar 02, 2022

Thank you for your reply.
I have another question regarding Data Breaches: when a company e-mail account is compromised and someone outside the company gained temporary access to it, is it always necessary to submit this information to the Supervisory Authority or does it depend on which documents may have been accessed by the "intruder"?

Quote
0 0
Expert
Tudor Galos Mar 04, 2022

A data breach is defined in Art 4 GDPR – Definitions – as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. According to Article 33 GDPR - Notification of a personal data breach to the supervisory authority – the data breach should be reported to the Supervisory Authority “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. When you assess the risks related to the rights and freedoms of data subjects, you need to ask what could happen to the data subject if the compromised data would be exposed.

If an email account is compromised, there are significant risks for conversations to be exposed, for email addresses to be exposed, attacked, or abused. All these risks need to be assessed and documented before deciding to report them to the authority. Anyway, the supervisory authority is requesting each data controller that reports a data breach to give all the details related to the data breach, including likely consequences for the affected data subjects.

In the EU GDPR Premium Documentation Toolkit, in directory 12 – Personal Data Breaches – there are two templates to help you: a procedure for Data Breach Response and Notification and a Data Breach Notification Form to the Supervisory Authority. If you fill in all the details in these two documents, you will know better whether to report the incident to the supervisory authority or not.

Please consult also these resources:

Tudor Galos
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 23, 2022

Mar 04, 2022

Suggested Topics

Guest user Created:   Dec 23, 2020 EU GDPR
Replies: 3
0 0

Filling templates

Guest user Created:   Jun 13, 2023 EU GDPR
Replies: 3
0 0

Questions on Retention Policies

Guest user Created:   Feb 23, 2023 EU GDPR
Replies: 1
0 0

Data privacy question