A personal data breach or data breach is «a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed», as provided for in Article 4(12) of the General Data Protection Regulation («GDPR»).

If your company is the target of a data breach, here are the key steps to follow:

1. Assess the Extent of the Data Breach

The first step after discovering a data breach is to assess its extent. This involves determining what type of data was compromised, how many records were affected and how the breach occurred. A detailed assessment will allow you to understand the seriousness of the situation and take appropriate action.

2. Act quickly

After understanding the extent of the data breach, it is crucial to act quickly to mitigate the damage. This can include taking immediate action to stop the breach, such as blocking unauthorized access and fixing any vulnerabilities in the system.

3. Communicate Internally and Externally

Transparency is key when it comes to dealing with a data breach.

Internally, it is important to inform employees about what has happened and what measures are being taken to resolve the situation.

Externally, entities must communicate openly with customers and other interested parties, providing clear information about the breach and the measures being taken to protect their data.

This obligation falls to the controller, who is obliged to inform data subjects of the occurrence of a data breach, whenever the legal requirements set out in Article 34 of the GDPR are met.

4. Complying with Legal Obligations

Depending on the severity of the data breach, companies may have specific legal obligations to comply with. This may include notifying the competent authorities and data protection regulators, as well as informing affected customers of the breach.

The data controller must notify the National Data Protection Commission («CNPD») of a data breach, as required by Article 33(1) of the GDPR.

In addition, unless the personal data breach is not likely to result in a risk to the rights and freedoms of data subjects, notification must be made within 72 hours of becoming aware of it.

It is also an obligation of the controller to have an internal policy in place to detect and manage security incidents with an impact on the protection of personal data and, when data processing is carried out by subcontractors, to have effective control mechanisms regarding the actions of subcontractors, ensuring that they do not jeopardize compliance with the controller’s obligations in this area.

Once the data breach has been resolved, it is important to carry out a post-incident analysis to understand the causes and prevent future occurrences.

This analysis should include a review of data security policies, additional training for employees and the implementation of additional data protection measures.

‘ has extensive experience and a specialized team that can advise your company on complying with the legal rules on personal data protection.