Privacy: lights and shadows on data breaches management

(source: Newsletter 463/2020 of Garante per la Protezione dei Dati Personali)

There is a vast awareness on data breaches management, although limited to a few organizations. This is what is shown by an international investigation carried out by the data protection authorities (DPA) of 16 countries, among which Italy, and coordinated by the New Zealand Office of the Privacy Commissioner.

Considering the mass of information collected and held by public and private subjects, it is inevitable that in certain circumstances personal information are accessed, disclosed, or otherwise acquired unauthorizedly. For this reason, the research highlights, the approach to data breaches – in terms of reports/notification and adoption of measures to prevent the reoccurrence of breaches– assumes a fundamental importance for the data protection authorities and for the individuals whose personal information is affected.

This year, the Sweep (full scale investigation), that is carried out every year by the Gpen (the Global Privacy Enforcement Network) examined how organizations in various countries handle and respond to a data breach. The survey was submitted to 1145 subjects, both public and private, but only 21% (258) gave substantial answers. One of the causes assumed by the coordinators of the Sweep for the limited number of organizations answering the survey is the fear that, in the countries where the reporting of data breach is mandatory, the national authorities could start follow-up enforcement actions and sanction on the basis of the answer.

In light of the results, every single DPA will have to evaluate which intervention is necessary to improve the control of the users over their personal data.

2019 Sweep Results

Among the positive results, 84% of the responding organizations of different countries appointed a team or a group responsible for handling data breaches and the related reports.

75% of organizations said that their procedures covered key steps such as containment, assessment and evaluation of the risk associated with breaches. 18% of the cases gave insufficient answers relating to these procedures indicates the need for more clarity in relation to the policies to follow to ensure the adoption of all fundamental measures to answer to a data breach.

65% of the organizations have good or excellent internal procedures in case of data breach to prevent future ones. The remaining 35% have insufficient procedures or failed to specify.

The organizations without internal policies indicated that they relied on the guidance published by the DPA in their jurisdiction, where necessary. In one case, an organization described its breach assessment system, indicating that it had implemented a three color rating system (red, amber, green – RAG); the rating took into consideration the number of records affected, the sensitivity of the data, the distress caused, the containment or otherwise of the breach, the possibility to recover information and the application of encryption devices.

Data breach notification is mandatory in 12 of the 16 jurisdictions who participated in the Sweep. The majority of the organizations questioned were aware of the relevant legal framework, including reporting criteria and timeframes. Only 5 organizations highlighted a poor understanding of the legal framework. Most of the organizations finds the guidance produced by their DPA to be useful. However, because of the lack of resources, small responding organizations were prevented from developing sophisticated data breach policies and procedures. Many organizations were found lacking monitoring internal performance in relation to data protection standards: more than 30% have no programs in place to conduct self-assessments and/or internal audits. Around 45% of the Sweep responding organizations indicated that they maintain up to date records of all data breaches (or potential breaches).


The Gpen

The Global Privacy Enforcement Network (Gpen) was created in 2010 following the recommendation of the OECD. The network, that has informal nature and includes over 60 authorities in 39 countries, seeks to promote international cooperation between Data protection authorities in global context, where consumers and organization need a constant flow of personal information no matter the national barriers.