The Guarantor has made available a self-assessment tool, in the event of a data breach, even if the decisions are actually up to the professional. The latter must notify the Guarantor of the violation, unless he considers it unlikely that the same involves a risk for the rights and freedoms of the interested parties (the people involved). If the professional believes that the incident involves a high risk for people’s rights, he must also communicate it to them, unless he has taken measures to reduce the risk, for example by encrypting the data.
The professional must also evaluate whether physical, material or immaterial damage to people could result from the incident, considering the nature, sensitivity and volume of the data involved. Data relating to the health or union membership of employees exposes them to a high risk.
But even common personal data such as name, surname, residence, email, telephone can present a risk in certain circumstances. It should be assessed whether third parties in possession of the data can combine them with others and misuse them. The email address by itself does not present a high risk, but if associated with other data that allow the construction of a specific profile of a person, it can be used (in less serious cases) for personalized marketing.
The possible identification of the person and the intentions of the third parties involved in the accident are to be assessed. If by mistake the professional sends X an email with personal data of a third party, but knows X and requests and obtains confirmation of the immediate deletion of the data, the risk is limited. The greater the number of people involved, the higher the risk. The Guidelines generally recommend notifying the incident as a precautionary approach.
What to do after a data breach
Notification must be made without delay, possibly within 72 hours of discovery; beyond 72 hours, the professional must justify the reasons for the delay. Even if you have not notified the Guarantor/data subjects of the incident, you must still document it (e.g. in an internal register which will be available to the Guarantor in the event of a request/inspection). This is an important fulfillment, which allows the professional to demonstrate the evaluations made and the decisions taken following data breaches.