Assessing the severity of the incident and notifying the appropriate authorities

In order to identify and implement internal procedures for the proper management of such phenomena, it is necessary to understand what actions should be taken should they occur. A data breach, in fact, if not addressed in an appropriate and timely manner can cause “physical, material or immaterial harm to individuals, for example […] discrimination, identity theft or usurpation, financial loss, unauthorised decryption” (Recital 65 GDPR).

For this reason, the Data Controller is obliged to notify the competent supervisory authority (in Italy, the Garantor for the protection of personal data) of a personal data breach, without undue delay and, where possible, within 72 hours of becoming aware of it, unless the breach poses a risk to the rights and freedoms of natural persons.

A similar notification obligation is also imposed on the Manager of the company at matter vis-à-vis any involved subject if the personal data breach is likely to present a high risk for the rights and freedoms of natural persons.

The risk assessment must take into account the likelihood of the severity of the risk and certain objective parameters, suitable for representing the prejudicial effects on the involved parties caused by the data breach. These parameters are

  • the type of breach
  • the nature, volume and sensitivity of the data breached
  • the ease of identification of the involved subject
  • the seriousness of the consequences for the individual
  • the particular categories of subjects involved in the breach
  • the characteristics of the data owner

Aside from the notification to the Supervisory Authority, the GDPR also requires company managers to record and document any personal data breach. The details of the breach must be recorded in a special register, to be provided in the event of an investigation by the Authority.

Security incident and data breach

Criminal law profiles of the management of a security incident