{"id":32200,"date":"2022-06-30T09:35:42","date_gmt":"2022-06-30T09:35:42","guid":{"rendered":"https:\/\/www.digife.it\/?p=32200"},"modified":"2022-06-30T09:35:42","modified_gmt":"2022-06-30T09:35:42","slug":"data-breach-what-to-do-in-case-of-personal-data-breach","status":"publish","type":"post","link":"https:\/\/www.digife.it\/en\/data-breach-what-to-do-in-case-of-personal-data-breach\/","title":{"rendered":"Data Breach - what to do in case of a personal data breach"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In 2022, the theme of <\/span><b>data breach<\/b><span style=\"font-weight: 400;\">,<\/span> <span style=\"font-weight: 400;\">or the violation of personal data, and many other issues related to the privacy of web users. Last, but not least, the news that the <\/span><a href=\"https:\/\/www.digife.it\/en\/google-analytics-prohibited-use-in-italy\/\"><span style=\"font-weight: 400;\">Privacy Guarantor has prohibited the use of Google Analytics in Italy<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Given the strong prominence that this topic has aroused, in this article we will go to see what a <\/span><b>data breach<\/b><span style=\"font-weight: 400;\"> and how to behave when it is a victim. So that our customers are prepared in the event that this happens to them.\u00a0<\/span><\/p>\n<h3><b>What does data breach mean?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">With the term <\/span><b>data breach <\/b><span style=\"font-weight: 400;\">a security breach is understood &quot;which involves - accidentally or illegally - the destruction, loss, modification, unauthorized disclosure or access to personal data, transmitted, stored or otherwise processed.&quot;<\/span><a href=\"https:\/\/www.garanteprivacy.it\/regolamentoue\/databreach\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">1<\/span><\/a><\/p>\n<p><span style=\"font-weight: 400;\">In other words, who is the victim of <\/span><b>data breach<\/b><span style=\"font-weight: 400;\"> risks seeing confidentiality and even accessibility to their data compromised. Examples include data capture by unauthorized third parties, data theft, and the inability to access data due to external attacks and malware.\u00a0<\/span><\/p>\n<h3><b>What to do in the event of a data breach?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The legislation that regulates violations of personal data currently in force is the <\/span><a href=\"https:\/\/www.garanteprivacy.it\/documents\/10160\/0\/Regolamento+UE+2016+679.+Arricchito+con+riferimenti+ai+Considerando+Aggiornato+alle+rettifiche+pubblicate+sulla+Gazzetta+Ufficiale++dell%27Unione+europea+127+del+23+maggio+2018\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">Regulation (EU) 2016\/679<\/span><\/a><span style=\"font-weight: 400;\"> of the European Parliament and of the Council of 27 April 2016.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">According to the document, the subject who suffered a <\/span><b>data breach<\/b><span style=\"font-weight: 400;\">, whether it is a public entity, a company, an association or a professional, must notify the damage suffered within 72 hours from the moment in which he became aware of the fact. Here, however, a first distinction must be made.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A possible <\/span><b>data breach<\/b><span style=\"font-weight: 400;\">, in fact, it must always be registered, but it must be notified to the Privacy Guarantor only if it involves an effective risk for the rights and freedoms of individuals. In any case, however, it is necessary to notify the data controller, or the person whose data were kept that have been compromised.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In the event that you decide to notify, the Guarantor requires some information:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">the nature of the breach;\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">the number of people affected;\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">the contact details of the data protection officer;\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">what are the potential consequences of the breach;\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">what measures the data controllers have taken.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">This is useful information to verify any liability and to ascertain the dynamics of events and it is important to provide it, even at a later time. Who suffers a <\/span><b>data breach<\/b><span style=\"font-weight: 400;\">, in fact, it must prove <\/span><i><span style=\"font-weight: 400;\">accountability<\/span><\/i><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h3><b>Accountability<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">This English term translates literally <\/span><i><span style=\"font-weight: 400;\">responsibility<\/span><\/i><span style=\"font-weight: 400;\">, but it conveys a slightly different meaning from how we normally understand it. The most correct translation, used mainly in the legal field, would be \u201cto be able to give an account\u201d.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The data manager must therefore be able to provide evidence that demonstrates that he has acted correctly and that he is able to manage the situation. In essence, it is necessary to demonstrate that all the minimum measures necessary for data protection have been implemented, based on the risk that would arise from a possible <\/span><b>data breach<\/b><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In practice, the principle of <\/span><i><span style=\"font-weight: 400;\">accountability <\/span><\/i><span style=\"font-weight: 400;\">is based on three concepts:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">there <\/span><b>transparency<\/b><span style=\"font-weight: 400;\">: the company must allow access to all the information in its possession;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">there <\/span><b>possibility to demonstrate the actions carried out<\/b><span style=\"font-weight: 400;\">: so that it can be verified that all necessary safety measures have been taken;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">there <\/span><b>compliance<\/b><span style=\"font-weight: 400;\">: the ability to enforce internal laws and regulations within the company.\u00a0<\/span><\/li>\n<\/ul>\n<h3><b>What violations must be reported?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">As mentioned, not all violations of personal data must necessarily be notified to the Guarantor. Only i <\/span><b>data breach<\/b><span style=\"font-weight: 400;\"> which may have repercussions on individuals, through physical, material or immaterial damage.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">However, this is a situation that needs to be analyzed carefully before deciding not to notify. During the verification, the Guarantor will in fact want to know the reasons for this choice and demonstrate that the <\/span><b>data breach<\/b><span style=\"font-weight: 400;\"> in question is not subject to notification is not a simple thing. To demonstrate accountability, it is therefore important to follow the procedure for handling personal data breaches as much as possible.<\/span><\/p>\n<h3><b>What happens next?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">In case you realize you have suffered a <\/span><b>data breach<\/b><span style=\"font-weight: 400;\">, the Privacy Guarantor has made available a form to be filled out (at this address <\/span><a href=\"https:\/\/servizi.gpdp.it\/databreach\/s\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">https:\/\/servizi.gpdp.it\/databreach\/s\/<\/span><\/a><span style=\"font-weight: 400;\">) and send electronically.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Once the notification is received, the authority checks what has happened and assesses whether there have been any irregularities and responsibilities on the part of the company. The financial penalties provided for are very high and can reach up to 10 million euros or, in the case of companies, up to 2% of their total turnover.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For those wishing to learn more, guidelines are also available on the same site regarding the notification of personal data breaches and some related examples. Here are the links:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/edpb.europa.eu\/our-work-tools\/our-documents\/guidelines\/guidelines-012021-examples-regarding-personal-data-breach_en\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">https:\/\/edpb.europa.eu\/our-work-tools\/our-documents\/guidelines\/guidelines-012021-examples-regarding-personal-data-breach_en<\/span><\/a><span style=\"font-weight: 400;\">;<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"http:\/\/ec.europa.eu\/newsroom\/article29\/item-detail.cfm?item_id=612052\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">http:\/\/ec.europa.eu\/newsroom\/article29\/item-detail.cfm?item_id=612052<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>In 2022, the issue of data breaches, or the violation of personal data, and many other issues related to the privacy of web users have been widely held. Last, but ...<\/p>","protected":false},"author":35,"featured_media":32196,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[242,130,59],"tags":[],"class_list":["post-32200","post","type-post","status-publish","format-standard","has-post-thumbnail","category-sicurezza","category-ecommerce","category-notizie"],"_links":{"self":[{"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/posts\/32200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/comments?post=32200"}],"version-history":[{"count":0,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/posts\/32200\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/media\/32196"}],"wp:attachment":[{"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/media?parent=32200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/categories?post=32200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/tags?post=32200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}