What is a data breach? How does it happen? In this post, we answer these questions and explain what steps you can take to prevent one.
A data breach is a security incident, that can lead to the destruction, loss, alteration, or unauthorized sharing of personal data. The causes of a data breach can be both accidental or deliberate, with malicious intentions.
You should note that a data protection breach isn’t only the loss of data. Examples of data breaches are also the access to the data by an unauthorized third party, the loss or theft of devices containing personal data, the alteration of personal data without permission, etc.
Therefore, data protection breaches can happen for the most various reasons, and it would be wrong to assume they’re always caused by external hackers.
Indeed, some of the most common causes of a data breach are the lack of appropriate security systems and carelessness. Devices containing the company’s data get lost or stolen, employees give access to data to the wrong person.
Even though unintentional and probably harmless, these are still data breaches.
Then, there are data breaches caused by external cyberattacks, meant to weaken a company’s security system and steal personal data. The Kaspersky team has listed some of the most popular methods hackers use to breach a company’s security:
Data protection breaches can affect anyone, from businesses to government organizations and individuals.
If you run a business that collects and stores users’ personal data, the consequences of a data breach can be really serious: it can damage your users, as their personal information could be stolen and used unlawfully, and it can damage your company because your confidential information could be shared or sold.
Not to mention how badly a data breach can affect your reputation and reliability as a business.
That’s why it’s so important to implement effective security measures.
Data protection breaches can be prevented. Here are some steps you can consider:
However, despite the most sophisticated security system and measures, a data breach could still happen.
So, along with preventive measures, you and your company should also set up a plan to face one:
According to Article 33 of GDPR, if you’ve been involved in a data protection breach, you need to report it to the Supervisory Authority within 72 hours (unless it’s unlikely to result in a risk to individuals’ rights and freedoms). Users whose data was affected by the breach also need to be informed within the same time frame.
Failing to report a data breach can expose you to fines up to €20 million or 4% of the annual worldwide turnover, whichever is greater.
Please note that, whether you should report the breach or not, you need to keep records of all the breaches that happened to your company, no matter how insignificant they may be. Records will help authorities assessing that you’re complying with the law.
💡 It’s a lot easier to face a data breach when you keep clear and detailed records.
Records can help you assess the level of risk of your processing activities, and determine if you need to implement new security measures.
iubenda’s Internal Privacy Management tool can help you record all your processing activities, security measures, and every party you share your data with.
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.