Data Protection: security breaches and active responsibility. Options and obligations

Article

Data Protection: security breaches and active responsibility. Options and obligations

Among the new developments that Europe, in its constant mission to raise awareness of the importance of personal data protection, has left behind, we find the implementation of the figure of the "security breach" in REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data.

In Spanish law, the Regulation was transposed through Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights, under the name of "security incident", which in turn derives in The Spanish Data Protection Agency ( AEPD) the development of the tools, guides, guidelines and orientations that are necessary to provide professionals, micro, small and medium-sized enterprises with appropriate guidelines for compliance with the obligations of active responsibility.

But what is a security breach? The AEPD clarifies that a security breach is a security incident that affects personal data. This incident can have an accidental or intentional origin and can also affect data processed digitally or in paper format. In general, it is an event that results in the destruction, loss, alteration, communication or unauthorized access to personal data.

Data protection regulations have always obliged to keep a record of incidents, which in its updated version would be these "breaches", therefore the real novelty is not so much to make this record but now it is mandatory that any security breach is reported to the competent authorities (Spanish Data Protection Agency) within 72 hours.

This being so, and although the standard does not determine the specific actions that data controllers and data processors must have in place, imposing the generic concept of active or proactive responsibility, the question is that, in order to be able to take measures in the event of a security breach or incident, the data controller must be prepared for this possibility, and have established what actions must be taken in the event of a breach occurring.

How to be prepared?

There are two mechanisms, the register of activities and the impact assessment, which, although the regulation only establishes its obligatory nature when there is a probability that it involves a high risk, the recommendation is to be aware of what personal data is being processed, with what means and the risks that may exist, and to have mechanisms in place to detect security breaches of personal data.

What to do if the breach occurs?

The data controller must initiate an action plan to resolve the breach, minimize its consequences and record the actions and events located and updated to prevent future occurrences and communicate when the security breach has been detected and resolved.

Therefore, just as important as solving the breach and minimizing the risks for those affected is learning from it, by identifying where the failure lies in the information management processes. Therefore, it is part of the principle of proactive responsibility to document in detail the breach and the actions taken to manage and prevent it in the future.

Paloma Aguilar (Lawyer T&L)