How to Manage a Data Leak

In spite of all security measures there is always a possibility for a data leak in your company. Violation of data protection laws is subject to severe penalties (Article 83 (4), (5) GDPR). In addition every person concerned, has the right to claim compensation. The following information will help you to be prepared to manage a data leak properly.

Here are some examples of data leaks:

• Hacking
• Theft of data
• Attack by ransomware
• A system breakdown
• Intentional or unintentional modification of data
• Unintentional deletion of data
• Deletion of data by an unauthorized person
• Loss of mobile data carriers (mobile phone, pad, USB stick)
• Loss of documents sent by mail comprising personal data
• Loss of a key to decrypt data
• Unauthorized transfer of data
• Unintentional transfer of data to an unauthorized recipient
• …

• Ensure that your employees know how to handle a data leak. All employees should know that it is necessary to forward a data leak quickly to management and to your data protection officer. Often employees act to slow, if they are afraid of consequences because they might have made a mistake. Make sure that your employees are aware of the fact, that data mishaps often happen involuntary and that much harm can be prevented by prompt action. Provide a short information for your staff, that helps to identify and report data breaches correctly.

• If there is a data protection officer in your company, you should inform him / her immediately.

• If a data leak leads to a risk for the rights and freedoms of natural persons you need to inform the responsible data protection authorities immediately (if possible within 72h). The period begins with the realization of the data leak. This task should be adopted by the company’s data protection officer or by company management. This obligation is mandatory, regardless of the question, if the data leak happened with or without someone’s fault. There is no exception to this obligation. A justification is needed for late reporting. The longer the time limit is exceeded the more detailed the explanation should be.
Authorities offer forms on their website that gather the information necessary. If there is no other option, information can be given later (Art. 33 (4) GDPR). Speed is more important than completeness. If you have new information you need to do a follow-up notification within 72 hours that includes a reference to your previous report. If there is an intentional attack you should contact the competent authorities.

• You need to inform every person that is at risk for his / her rights and freedoms by your data leak, but not before data protection authorities give their consent. This regulation provides authorities with the possibility to track a hacker attack before it becomes public.
The information has to be kept in a clear and simple language. The content should be easily comprehensible, so it is not suggested to use the same text that was used to inform authorities. The information has to include the contact details of the company’s data protection officer or of another contact person, the kind of data protection violation, the description of possible consequences of the data leak, potential self-protection measures for the persons involved and information About actions taken by the company.
If this information involves a disproportionate effort for your company, instead a public announcement can be issued. This would apply for example, if there are no contact details, if there are only outdated contact details or if the number of persons concerned can not be determined. If you take a public announcement into consideration, you should take the effects on company image into account.

• If there is an order processing contract in place, the processor has the obligation to support the controller. The processor is not obliged to inform authorities or persons concerned. The obligation to support the controller can be specified in the order processing contract with regard to the extent of the information that needs to be provided, the extent of protection measures, cost recoveries, etc.

• Report all expertise won by overcoming data leaks comprehensively to fulfil reporting and documentation duties. This will also help to evaluate the usefulness of actions in a future data leak crisis.