Since 25 May, we receive news and notifications every day of security breaches at top-level companies resulting in the mass exposure of customer data.

The reality, as unlikely as it may seem, is that the number of security breaches has not increased since the application date of the Data Protection Regulation (GDPR) of 27 April 2016. It is in fact the case that, up to now, there has been no obligation under our legislation to report security violations except in the case of providers of publicly available electronic communications services, while the GDPR now extends this obligation to any company processing data.

A security incident is the destruction, loss or alteration of personal data due to internal or external causes, which may be accidental or intentional. With regard to such an eventuality, the most important things for any company to bear in mind should be to (i) define a procedure for management of security breaches; (ii) have the tools available to assess the risk of such an incident occurring; and (iii) know whether it should be reported to the supervisory authorities and to data subjects depending on the characteristics of the incident and the risk for data subjects.

Notification to the supervisory authority, as established under the GDPR, is required whenever the incident may result in a risk to data subjects and the notification must be made within 72 hours of becoming aware (having actual evidence) of the incident. It is also required to notify the data subjects affected whenever such an incident could result in a high risk for them and provided that said notification does not compromise the outcome of a pending investigation, in which case the communication may be made at a later stage, all under the control of the supervisory authority.

Additionally, it is crucial to respond quickly in an effort to mitigate the consequences of the incident, by adopting security measures that prevent access to data or amendment or reading of the same.

The only effective formula for avoiding this deluge of legal obligations is prevention. All possible measures must be taken to avoid security breaches, prevent unauthorised reading and amendment of data, and establish a procedure for responding to incidents of this kind.

The European Data Protection Board, formerly the Article 29 Working Party, prepared a guide on notification of security breaches which deals with many of the issues that had given rise to doubts. Moreover, on 19 June 2018 the Spanish Data Protection Agency published a guide for management and notification of security breaches with directives for detection and management of security breaches and evaluating notification of the same.

Author: Martín Bello y Cristina Espín

Visit our website: