March 11, 2025
Data breaches involving individuals’ personal data are a great worry for any organization dealing with sensitive information in today’s era, this is the case with Life Science stakeholders and infrastructures. Even when security is strong, breaches cannot be avoided; therefore, responding appropriately is more important than ever.
The European Data Protection Board (EDPB) provides precise guidelines on personal data breach notifications under the General Data Protection Regulation (GDPR). Following is a summary of key takeaways of their latest guidelines.
What Constitutes a Personal Data Breach?
Under the GDPR, a personal data breach is an event of a security breach that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. The data breaches can lead to physical, material, or non-material harm, including:
- Identity theft or fraud
- Financial loss
- Reputational damage
- Unauthorized backtracking of pseudonymization
- Loss of confidentiality
Types of Personal Data Breaches
The EDPB categorizes personal data breaches into three broad classes
Unauthorized disclosure or access of personal information
Unauthorized modification of personal information
Unintended or illegal loss of access to personal information
What to Do When a Data Breach Happens?
1. Identify and Evaluate the Breach
Organizations must also possess in-house mechanisms for identifying and handling breaches, for example, logging and network traffic monitoring. Where the organization is reliant on third-party data processors, there must be arrangements for reporting incidents in a timely way.
2. Document the Breach
Every data breach must be documented in a breach register, which must detail:
- Nature of the breach
- Categories and approximate number of persons affected
- Likely consequences
- Mitigating steps taken
3. Notify the Relevant Authorities
If a breach is likely to cause a risk to individuals’ rights and freedoms, organizations must inform the respective Data Protection Authority (DPA) within 72 hours of becoming aware of the breach. When all data is not accessible, an initial notification must be given, with subsequent updates as the investigation goes on.
4. Inform Affected People (Where Applicable)
In case a breach exposes individuals to high risk, they must be notified immediately so that they can protect themselves. Organizations should use the appropriate method of communication such that individuals affected by a breach are well and timely informed.
Prevention of Future Breaches
While responding to breaches is inevitable, prevention is always more desirable. The EDPB recommends the use of the following best practices:
Real-World Examples
To illustrate how different breaches require different responses, here are a few examples from the EDPB’s advice:
- Example 1: Missing Encrypted USB Drive
- Example 2: Misconfigured Email Attachment
- Example 3: Ransomware Attack on a Hospital
In case the missing USB device is encrypted, and decryption keys are not lost, the breach may not be reportable. But record-keeping is still necessary.
An insurance agent incidentally gets access to customer details due to the misconfiguration of an email. Since the data exposure is low, and redressal is done promptly, notification to the DPA is not required.
A ransomware attack encrypts patient records, leading to a delay in surgeries and medical treatment. While backup records are available, the downtime poses severe threats, requiring both DPA and individual notifications.
Final Thoughts
With the rise in cyber-attacks, organizations must be ready to handle data breaches efficiently. By implementing robust security measures and involving your DPO for proper data breach management, organizations can reduce risks and remain GDPR compliant.
At MyData-TRUST we offer DPO support services for Life Science organizations. Our DPOs are constantly trained in handling data breaches and security incidents, in the determination of the risk of the breach and in the reporting obligations in different jurisdictions.
