GDPR – Data Breaches: what are my startup's obligations?
Implementing security measures is a mandatory obligation under the GDPR. What is a personal data breach? How should you respond? What are the obligations of a startup acting as a data controller or as a processor?
STARTUPS — WHAT ARE YOUR OBLIGATIONS IN THE EVENT OF A PERSONAL DATA BREACH?
Implementing security measures is a mandatory obligation under the GDPR. What is a personal data breach? How should you respond? What are your obligations as a data controller? What are your obligations when your startup acts as a processor?
This article aims to give you the reflexes to adopt in the event of a personal data breach.
1. What is a personal data breach?
A personal data breach refers to any action, whether intentional or not, that compromises the confidentiality, integrity, or availability of personal data (Article 33 of the GDPR).
Examples: loss of a document containing personal data, malicious intrusion into a database.
A security vulnerability is a broader concept referring to a weakness within an IT system that could jeopardize its integrity if exploited.
Examples: SQL injection, phishing, ransomware, etc.
Security vulnerabilities do not always affect personal data and therefore do not always result in a personal data breach. It is therefore necessary to analyze the data affected by the security vulnerability.
2. What are your obligations as a data controller?
A startup acting as a data controller must comply with the following obligations:
a. Obligation to notify the supervisory authority
The startup is required to notify the competent supervisory authority of any breach affecting the personal data it processes, where there is a risk to the data subjects concerned.
When? The notification to the supervisory authority must be made within 72 hours of becoming aware of the personal data breach.
Warning: Startups processing personal data of individuals located in France must use the CNIL notification form: https://notifications.cnil.fr/notifications/index. This CNIL notification form requires that the reasons for any delay be specified. The CNIL requires a further 72-hour period between the initial notification and any supplementary notification.
Need help managing a data breach?
CNIL notification, informing data subjects, breach register, contractual clauses and GDPR documentation: get support from African Legal Factory.
b. Obligation to inform data subjects
The startup is required, where there is a high risk to the rights and freedoms of the data subjects concerned, to communicate the occurrence of a data breach to those data subjects.
When? This communication to data subjects must be carried out without undue delay.
Content of the communication:
- A description, in clear and plain language, of the nature of the personal data breach;
- The name and contact details of the Data Protection Officer or another point of contact from whom additional information can be obtained;
- A description of the likely consequences of the personal data breach;
- A description of the measures taken or proposed by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
It will sometimes be necessary to distinguish between data subjects for whom communication is required and those for whom, due to one of the exceptions below, informing data subjects is not necessary if:
- Appropriate technical and organizational protection measures have been implemented (e.g., encryption or pseudonymization);
- Subsequent measures have been taken ensuring that the high risk is no longer likely to materialize;
- Communicating with the data subjects would involve disproportionate effort (in which case a public communication should be made instead).
c. Obligation to maintain a personal data breach register
The GDPR requires the startup to document all data breaches in order to allow the supervisory authority to carry out a retrospective review of all personal data breaches. The startup must therefore maintain a personal data breach register.
When? This register must be maintained on an ongoing basis; the startup must record all data breaches that occur.
3. What are your obligations as a processor?
When the startup acts as a processor within the meaning of the GDPR, its data breach obligations differ. In practice, a startup that hosts personal data on behalf of a data controller, or that provides a SaaS platform, processes personal data solely on behalf of data controller companies.
A startup acting as a processor within the meaning of the GDPR (regardless of its location) must comply with the obligations incumbent on it in the event of a personal data breach affecting its client companies.
A startup acting as a processor within the meaning of the GDPR is required to inform the data controller that a data breach has occurred in relation to the personal data concerned.
When must the data controller be informed? The processor is required to inform the data controller without undue delay.
Warning: a specific time limit may be contractually imposed by the data controller on the processor. Indeed, when the data controller and the processor enter into an agreement that includes a clause relating to personal data protection (Article 28 of the GDPR), they may provide that the processor informs the data controller within a specific time frame (for example: 48 hours).
4. Our recommendations
When the startup acts as a data controller, it is recommended to:
- implement an internal personal data breach management policy, in order to better handle data breaches and to be informed promptly if a breach occurs;
- file an initial notification with the CNIL, which will subsequently need to be supplemented by a follow-up notification filed "without undue delay."
When the startup acts as a processor, it is recommended not to file a notification with the supervisory authority or communicate with data subjects on behalf of the data controller. The GDPR does not impose these obligations on a startup acting as a processor.
5. WHY IS IT ESSENTIAL TO COMPLY WITH THESE GDPR OBLIGATIONS?
Data security is an extremely important issue with a direct impact on a startup's relationships with its clients, partners, and service providers.
Complying with these GDPR obligations helps avoid:
- Financial penalties that can reach up to 20 million euros or represent 4% of total annual worldwide turnover — whichever is higher — and may be made public;
- Reputational damage resulting from a security failure or a failure to notify/inform in the event of a personal data breach, which can have severe negative consequences on the startup's image and reputation.
Example: in France, the Penal Code provides for criminal sanctions of up to 5 years' imprisonment and fines of up to €1.5 million for legal entities.
References
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
- Guidelines, recommendations and best practices published by the European Data Protection Board (EDPB);
- Guidelines of the Article 29 Working Party (WP29) endorsed by the EDPB.
I would like support with my personal data protection compliance
Fill in the form to be contacted by the African Legal Factory team regarding your GDPR obligations, data breaches, supervisory authority notifications, or processor contractual clauses.
By completing this contact form, African Legal Factory collects and processes your personal data as data controller in order to respond to your enquiries. You have the right to access, rectify, object to, erase, restrict, port your data, and to provide instructions regarding its handling after your death.
For more information on the processing of your personal data, please consult our Privacy Policy.
