There is an aphorism in the world of information security that says “do not ask yourself if you will ever have a data breach, but rather when it will be your turn”. In the domain of personal data protection, data security is a principle of lawfulness, therefore data security is a condition of their legitimate use. It is understandable, therefore, that if something goes wrong, the legislator is concerned that the incident is handled in the best possible way, starting from the capability of a prompt recollection (forensic investigation) and sharing the facts with the competent supervisory authority. Notification to the authority, dictated by article 33 of the GDPR, is an important fulfillment: the triggering of the obligation, when a very low risk threshold is exceeded, and the reduced deadlines for carrying out the notification, make the notification process one of the main aspects to be monitored within the company organization, as part of the data breach management procedure.
Most of the supervisory authorities in the Member States have provided forms, or telematic procedures to guide the controllers and make this task easier. In this month of June, both the Italian Garante and the Spanish authority have made changes to the notification methods that we are commenting on in this episode.
Spanish and Italian news in terms of notification
On June 15 on the institutional website of the Spanish authority (“AEPD” or “Agency”) the new data breach notification form was formalized which, according to the Iberian authority, simplifies the notification, guiding the controller through specific questions that address the information aspects that must be notified.
The Italian Garante, similarly to the AEPD, is about to issue an electronic procedure that replaces the previous model, providing for the collection of more information than before. The provision of 27/5/2021 of the Italian authority (doc. web N. 9667201, in Italian), with which the new telematic procedure is approved, motivates this initiative with “the high number of notifications of violation of personal data received by the Garante and which sometimes are lacking some information necessary for a complete evaluation (…) thus making it necessary to subsequently acquire further elements in relation to the facts and circumstances relating to the violation of personal data“.
Additional support tools
In addition to the electronic form, the Spanish AEPD had previously released an information guide regarding the conditions for the mandatory notification and other aspects of the data breach, together with a computer tool “Notify the violation of the GDPR” in order to assist the controllers in assessing whether, in the event of a violation of personal data, it is also necessary to provide communication to the data subjects, based on article 34 of the GDPR.
For its part, the Italian Garante had already made available on its institutional website, in the “Services” area, a self-assessment tool structured through unique answers to questions that direct the user towards a correct management of the process, of which we have given notice in the Alert of 31/12/2020.
This self-assessment tool, with a mere help function, as the assessment is strictly the responsibility of the controller, informs the user – also providing brief explanations and examples – about the mandatory nature of the notification of the incident to the authority.
The Italian Garante also completes its support kit with an information page on the violation of personal data and instructions for using the electronic notification procedure.