The AEPD launched a tool to aid data controllers in quickly determining whether or not it is necessary to communicate a data security breach to affected data subjects.
On October 22nd 2020, the Spanish DPA (AEPD) reported that it had published a tool to aid data controllers in making decisions regarding whether or not they need to communicate a personal data security breach to affected data subjects. The GDPR dictates that the parties responsible for handling personal data must communicate data security breaches, without delay, to data subjects whose security may be at risk as a result of the data security breach. Article 34(1) of the GDPR states «When the personal data breach is likely to result in a high risk to the rights and freedom of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.»
This free tool is easy to use and is intended to promote transparency and proactive responsibility among data controllers.
This new resource, coined «Comunica-Brecha RGPD» is meant to foster transparency and proactive responsibility among data controllers. It involves an exercise that allows affected data subjects to know when their rights and freedoms may be at risk, allowing them to take appropriate measures to safeguard their information. This tool is free, easy to use and consists of a short form in which details are collected. Based on the information entered in the form, this tool can indicate whether there may be the risk of a data security breach. Depending on the information submitted, the tool produces one of three possible results; that high risk is perceived and data subjects need to be notified of a security breach, that such communication is unnecessary, or that the level of risk could not be determined. This data, though entered into the form is not stored in any instance, and the Spanish DPA is not informed of the details entered.
While this tool is very useful, it is not meant to replace the work conducted by data protection officers.
This tool is not intended in any way to replace the necessary risk assessments conducted by data protection officers, as they would also be able to determine the details of the personal data processed, the characteristics of the data subjects, the circumstances of the data breach, and all the other factors that would go into an accurate risk assessment. The use of this tool however, can help responsible parties communicate data breaches to the affected parties in a timely manner, independent of their obligation to notify the appropriate supervisory authority.
Would you make use of a tool like this?