2 minute read
3. The possible consequences of a personal data breach
21. Therefore, a security incident resulting in personal data being made unavailable for a period of time is also a type of breach, as the lack of access to the data can have a significant impact on the rights and freedoms of natural persons. To be clear, where personal data is unavailable due to planned system maintenance being carried out this is not a breach of security as defined in Article 4(12) GDPR.
22. As with a permanent loss or destruction of personal data (or indeed any other type of breach), a breach involving the temporary loss of availability should be documented in accordance with Article 33(5)
Advertisement
GDPR. This assists the controller in demonstrating accountability to the supervisory authority, which may ask to see those records19 . However, depending on the circumstances of the breach, it may or may not require notification to the supervisory authority and communication to affected individuals.
The controller will need to assess the likelihood and severity of the impact on the rights and freedoms of natural persons as a result of the lack of availability of personal data. In accordance with Article 33
GDPR, the controller will need to notify unless the breach is unlikely to result in a risk to individuals rights and freedoms. Of course, this will need to be assessed on a case-by-case basis.
Example
In the context of a hospital, if critical medical data about patients are unavailable, even temporarily, this could present a risk to individuals rights and freedoms; for example, operations may be cancelled and lives put at risk.
Conversely, in the case of a media company s systems being unavailable for several hours (e.g. due to a power outage), if that company is then prevented from sending newsletters to its subscribers, this is unlikely to present a risk to individuals rights and freedoms.
23. It should be noted that although a loss of availability of a controller s systems might be only temporary and may not have an impact on individuals, it is important for the controller to consider all possible consequences of a breach, as it may still require notification for other reasons.
Example
Infection by ransomware (malicious software which encrypts the controller s data until a ransom is paid) could lead to a temporary loss of availability if the data can be restored from backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.
3. The possible consequences of a personal data breach
24. A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals20 .
25. Accordingly, the GDPR requires the controller to notify a breach to the competent supervisory authority, unless it is unlikely to result in a risk of such adverse effects taking place. Where there is a
19 See Artic le 33 (5) GDPR. 20 See al so Recital s 85 and 75 G DPR.
