Data Protection: Security Breaches and Active Responsibility. Choices and Obligations

1/3/22

Data Protection: Security Breaches and Active Responsibility. Choices and Obligations

Among the novelties that Europe left behind, in its constant mission of raising awareness of the importance in the protection of personal data, we find the introduction of the figure of the “security gap” in REGULATION (EU) 2016/679 on the protection of individuals with regard to the processing of personal data.

In Spanish law, the Regulation was transposed through Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights, with the name of “security incident”, which in turn leads to the Spanish Data Protection Agency (AEPD) the development of tools, guides, guidelines and guidelines that are necessary to provide professionals, microenterprises and small and medium-sized enterprises with adequate guidelines for complying with active responsibility obligations.

But what does the security breach consist of? , the AEPD clarifies that a security breach is a security incident affecting personal data. This incident may have an accidental or intentional origin and may also affect data processed digitally or in paper format. In general, this is an event that causes destruction, loss, alteration, communication or unauthorized access to personal data.

Data protection regulations have always required us to keep a record of incidents, which in their updated version would be these “breaches”, so the real novelty is not so much to carry out this record but now it is mandatory that any security breach be reported to the competent authorities (Spanish Data Protection Agency) within 72 hours.

This being the case, and although the standard does not determine the specific actions that data managers and managers must have implemented, imposing the generic concept of active or proactive responsibility, the question is that, in order to be able to take measures in the event of a breach or security incident, the person responsible for the treatment must be prepared for this possibility, and have established what actions must be taken in the event that a breach may occur.

How to be prepared?

There are two mechanisms, the recording of activities and the impact assessment, which although the regulation only establishes its obligation when there is a probability that it involves a high risk, the recommendation is to be aware of what personal data are being treated, with what means and the risks that may exist, and to have mechanisms to detect security breaches of personal data.

What to do if the breach occurs?

The data controller must initiate his action plan to resolve the breach, minimize its consequences and record the actions and events located and acted upon, to prevent it from happening in the future, as well as to communicate when the security breach has been detected and resolved.

Therefore, as important as solving the gap and minimizing risks to those affected, is to learn from it, gathering where the failure has been rooted in the information management processes. Therefore, it is part of the principle of proactive responsibility to document in detail the gap and the actions taken to manage and prevent it in the future.

Paloma Aguilar (T&L Attorney)