Data breach - What to do when it happens

According to Article 4 Number 12 of the GDPR, a data breach is a "personal data breach". Data breaches can have serious consequences, both for the company and for the data subjects. It is about the protection of personal data, which may include sensitive data about the data subject. Data breaches can cause personal data to be stolen, altered, or disclosed without authorisation. This can lead to identity theft, reputational damage, and financial loss. Companies that prevent data breaches gain the trust of their customers and also prevent possible legal consequences.

Data breaches can occur in a number of ways. Here are some examples that companies should be aware of:

• Loss or theft of storage media or hardware devices, such as USB sticks, smartphones, or laptops, that contain personal data.
• Unauthorised access to personal data through phishing, hacker attacks, or the theft of access data.
• Unintentional deletion or modification of data.
• Sending open distribution list emails that leak personal data to unauthorised recipients.
• Incorrect disposal of documents containing personal data.

To prevent data breaches, it is crucial to implement appropriate security measures. Here are some best practices you should follow:

1. Raise awareness and train employees

Employee training and awareness are essential to raise awareness of data protection risks. Staff should be educated on best security practices such as using strong passwords, regularly updating software, and identifying phishing attempts.   
Our staff training is designed to educate employees on various topics related to data protection, cyber security, and compliance to minimise the risk of data breaches and cyber-attacks.

2. Strong access controls

Ensure that access rights to personal data are only granted to authorised individuals. Implement access restrictions and regular audits to ensure that only those employees who need access have it.

3. Data backup and encryption

Regular backups are critical to recovering data in the event of a data breach. You should also encrypt personal data to ensure its confidentiality, both in storage and in transit.

4 Up-to-date security systems

Keep your software and systems up to date by installing security patches and updates regularly. Outdated software can be enough for a hacker to break into your systems.

A data protection breach can have serious consequences, both financially and in terms of customer trust. The General Data Protection Regulation (GDPR) provides for high fines, which can be up to 4 % of global annual turnover or up to 20 million euros, depending on the severity of the breach.

In the event of a data breach, you should act immediately:

• Document the breach: Record all relevant information about the data breach in writing.
• Notify the supervisory authority: Inform the competent data protection authority about the breach.
• Inform the data subjects: Notify the data subjects about the data breach and the measures taken.
• Analyse the cause: Investigate the cause of the breach and take measures to prevent similar incidents in the future.

heyData is specifically designed to help businesses meet the requirements of the GDPR and prevent data breaches. Our software offers:

1. Risk assessment: We help you identify potential risks and vulnerabilities at an early stage to proactively prevent data breaches.
2. Establishment of technical and organisational measures: We support you in taking all necessary technical and organisational measures to avoid risks and comply with applicable regulations.
3. Notification system: Should a data breach nevertheless occur, heyData supports you in notifying all necessary bodies in a timely manner.
4. Documentation of the data breach: In addition to notifying the authority, heyData also creates an internal document containing all relevant information about the data breach in accordance with Art. 33 GDPR.