Question regarding Data Breach Response Team

In Article 38 in GDPR – Position of the data protection officer – paragraph 1 clearly states: “The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data”. This means that the DPO must be part of the Data Breach Response Team. The DPO is responsible for communication of the data breach investigation results to the supervisory authority and to data subjects if it is the case.

Please check these links for more details:

• Article 38 GDPR – Position of the data protection officer: https://advisera.com/eugdpracademy/gdpr/position-of-the-data-protection-officer/
• Article 39 GDPR – Tasks of the data protection officer: https://advisera.com/eugdpracademy/gdpr/tasks-of-the-data-protection-officer/
• The role of the DPO in light of the General Data Protection Regulation: https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
• EU GDPR Data Protection Officer Course: https://advisera.com/training/eu-gdpr-data-protection-officer-course/

Thank you for your reply.
I have another question regarding Data Breaches: when a company e-mail account is compromised and someone outside the company gained temporary access to it, is it always necessary to submit this information to the Supervisory Authority or does it depend on which documents may have been accessed by the "intruder"?

A data breach is defined in Art 4 GDPR – Definitions – as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. According to Article 33 GDPR - Notification of a personal data breach to the supervisory authority – the data breach should be reported to the Supervisory Authority “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. When you assess the risks related to the rights and freedoms of data subjects, you need to ask what could happen to the data subject if the compromised data would be exposed.

If an email account is compromised, there are significant risks for conversations to be exposed, for email addresses to be exposed, attacked, or abused. All these risks need to be assessed and documented before deciding to report them to the authority. Anyway, the supervisory authority is requesting each data controller that reports a data breach to give all the details related to the data breach, including likely consequences for the affected data subjects.

In the EU GDPR Premium Documentation Toolkit, in directory 12 – Personal Data Breaches – there are two templates to help you: a procedure for Data Breach Response and Notification and a Data Breach Notification Form to the Supervisory Authority. If you fill in all the details in these two documents, you will know better whether to report the incident to the supervisory authority or not.

Please consult also these resources:

• Art 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• Article 33 GDPR - Notification of a personal data breach to the supervisory authority: https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/
• 5 steps to handle a data breach according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/5-steps-to-handle-a-data-breach-according-to-gdpr/