How to Manage Data Breaches Under GDPR featured image

How to Manage Data Breaches Under GDPR

by John DiGiacomo

Partner

gdpr

How to Manage Data Breaches Under GDPR

In recent weeks, we have posted about the requirements of personal data protection under Europe’s General Data Protection Regulation (GDPR) that companies must now follow. Today we will look into what a company must do in the event of a data breach under this regulation.

Over the past few years, we have seen some truly impressive data leaks around the world.

Between May and July 2017, Equifax was hacked, which compromised data for 143 million people, including names, social security numbers, birthdates, and home addresses. In 2018, a number of online retailers, such as Macy’s and Adidas, suffered from data breaches. Even Facebook faced a major data breach that affected as many as 50 million people. Because data breaches are, unfortunately, a fact of life, businesses and consumers must be prepared for them.

If your internet business is subject to the GDPR, here is what you should know:

What is a Data Breach?

Article 4 of the GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

Under the GDPR, you are required to “implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principals, such as data minimization, in an effective manner and to integrate the necessary safeguards in the processing.” (Article 25)

These requirements include having appropriate levels of security, limiting access to personal data so it can only be accessed on an as-needed basis, and conducting tests on a regular basis to ensure that you catch security breaches before they occur. You must also have an appropriate backup system in the event that the data is lost.

You may also be required to have a qualified data protection officer, who will be in charge of overseeing data security. This position is especially important if you are processing a significant amount of sensitive data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or information related to genetic or biometric data.

Government data protection authorities are available for consultation, especially when there is a high risk in processing, or there are no measures in place to mitigate potential risks.

How Your Company Should Manage Data Breaches

You are not required to disclose every data breach. However, you must make an assessment as to whether or not the breach is likely to cause a significant detrimental effect to individuals.

If the breach is likely to be significantly detrimental, you must notify your country’s data protection authority within 72 hours of becoming aware of the breach. This notification must include:

  • The nature of the breach, including what type of data was taken and how many people’s information was compromised;
  • The likely consequences of the data breach;
  • What measures you have taken, or propose to take in order to address the breach; and
  • What measures, if any, that can mitigate adverse effects of the breach.

Additionally, if the data breach is likely to involve a high risk to the rights and freedoms of individuals, you must disclose the breach to the individuals at risk without undue delay. The GDPR allows you to make this communication by issuing an effective public communication, if contacting individuals would require disproportionate effort. Companies that have implemented measures, such as encryption, that would render the data unintelligible are allowed to forgo public notification.

Manage Data Breaches: Fines for Non-Compliance

If a company fails to comply with the GDPR’s data breach rules, specifically the requirement to notify your customers within 72 hours of the breach, you can also be fined a significant amount of money.

Less severe breaches carry fines up to €10 million ($11.2 million) or 2% of a company’s annual revenue, whichever is greater. More severe breaches can carry fines up to €20 million ($22.5 million), or 4% of a company’s annual revenue, whichever is greater.

In 2016, the year before Equifax had its major data breach, it reported $3.1 billion in revenue, meaning that it could have been liable for a fine up to $124 million due to its failure to report the breach within 72 hours.

Fines are discretionary, rather than mandatory, meaning that each country’s enforcement agency will assess the situation before imposing fines.

Factors that will be considered include:

  • The nature of the infringement;
  • The number of people affected by it;
  • Whether the breach was intentional or merely negligent;
  • What steps were taken to protect the data; and
  • History of noncompliance, if any.

Additionally, you may be required to compensate individuals for any damages they suffer as a result of the breach.

If You are a Consumer Whose Data has Been Breached

As a consumer, if your data was breached, there are a number of steps you should take.

If the data breach was for non-financial data, like an email or social media account, you should change your passwords. You should also monitor for suspicious activity, such as strange messages being sent or strange posts to your feed.

If the data breach was for a financial account, such as a credit or debit card or bank account, you have a couple more steps to take after changing passwords. Depending on the severity of the breach, you should place a credit freeze or a fraud alert on your accounts at Equifax, Experian, and TransUnion. You can also check your credit report for free at annualcreditreport.com. You should also monitor your financial accounts to look for unauthorized transactions.

Finally, if the GDPR applies to your situation, you can file a lawsuit against the company that violated our data protection rights, and make a claim with your national data protection authority.

This article does not contain legal advice, and is for informational purposes only. Our internet privacy attorneys have significant experience helping our clients stay compliant with data privacy and protection laws. If you have questions regarding compliance with GDPR, contact Revision Legal’s attorneys with the contact form on this page, or call us at 855-473-8474.

 

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case