Do you run an e-shop? Today it is possible to get such a solution in a few clicks. You can set up additional add-ons in your e-shop to help you with billing, statistics or add other interesting extensions. Often, when choosing an add-on, you also agree to terms and conditions and other rules that, let's face it, not many actually read.
Everything is working fine, but suddenly you find out that the platform on which the e-shop is run has had a major data leak. Or you get a message from that platform saying there's been a leak.
What comes next?
First, you need to get as much information as possible. In a very short time. If there has been a data breach, you have 72 hours from the time you become aware of the incident to report it to the Data Protection Authority.
What information should you ideally obtain:
For the last point, you need to assess the risks associated with the incident. Here, however, the assessment is very individual. In general, however, if sensitive data (health, sexual orientation) are involved in the incident, a high risk to the data subjects is virtually certain.
The amount of risk determines the other obligations. If the risk is high, the people involved should also be notified of the incident. This makes sense, because if the risk is high, there is a risk of significant harm to these people, so they must be able to take steps to prevent this harm or at least be aware of it.
Clueless how to assess the risks? Drop us a line ↗ or have us do a complete GDPR mapping ↗ for you.
In particular, prepare processing agreements with the providers involved in the incident (if they are processors).
Was there a data leak on the side of the platform operator where the e-shop operates? It is very likely that this operator will be in the position of a personal data processor (it may provide the storage of personal data and other processing activities that it performs only for the e-shop).
Do you know where to look for a possible processing contract? Check the agreed terms and conditions or make a query on the platform.
At the same time, prepare any other documentation you have on GDPR.
You are not submitting the documents anywhere for the time being, but the Data Protection Authority may request them as part of further resolution. So you can skip this step for now, but it is advisable to have everything ready. At the same time, you may find some of the information useful when completing the report.
Don't do it. If the incident is more widespread, it will start to spread through the media. It's very likely that the Data Protection Authority will eventually find out. And there's nothing worse than having nothing and not reporting the incident within the time limit.
Better late than later. Report the incident anyway. Try to explain in your report what caused the delay.
Now comes the unpopular part. There is an interactive form for reporting a security incident, which is available on the website of the Office for Personal Data Protection.
This form should be filled in and sent to the Office for Personal Data Protection by e-mail: email@example.com or to the data box: qkbaa2n. You can also use the submit button available on the form itself.
When completing the report, you should base it on the information you obtained in step one. The form is fairly intuitive, but if you have any problems with it, drop us a line ↗ and we will help you complete it.
You may not know all the information when you fill in the form. But at the same time, you will be pushed for 72 hours. It is possible to skip some parts of the report and you can complete them at any time later.
The GDPR states, "If it is not possible to provide the information at the same time, it may be provided sequentially without further undue delay."
On the reporting form itself, you can also check whether it is an initial or additional report.
Each controller has an obligation to document security breaches. Such documentation should include:
We live in a time when the risk of potential security incidents is increasing. If one has happened to you, you're certainly not the first or the last person it has happened to. Last year, 294 security incidents were reported to the Data Protection Authority. That's almost 1 security incident every day. But these are only the reported ones, and the actual number will be much higher.
Want to check you're GDPR compliant so you don't have to worry about reporting anything?