Polish supervisory authority publishes updated guide on personal data protection breaches

What's new in the guide?

The new version of the guide includes, among other things:

• updated procedures for responding to breaches (reporting to the President of the UODO);
• practical examples and case studies;
• guidelines on cooperation with the UODO and other supervisory authorities; and
• key recommendations on risk assessment and prevention of breaches

Specific updates to data breach response procedures 

The new guide introduces several updates to the procedure for responding to data breaches:

• Enhanced reporting mechanisms: the guide emphasizes the importance of timely reporting of breaches to the UODO, specifically within 72 hours of becoming aware of the breach. This includes detailed steps on how to report breaches electronically through dedicated platforms.
• Detailed documentation requirements: controllers are now required to maintain thorough documentation of all breaches, including the circumstances, effects, and remedial actions taken. This documentation must be readily available for review by UODO.
• Risk assessment protocols: the guide outlines updated protocols for assessing the risk associated with data breaches. This includes evaluating the severity and likelihood of potential harm to individuals whose data has been compromised.
• Communication with affected individuals: the guide also provides detailed instructions on how to communicate effectively and transparently with affected individuals.

The role of the data protection officer in data breach response and reporting

The updated guide also resolves a long-standing dispute in Poland regarding the role that the data protection officer (DPO) should play in the process of managing and reporting data breaches.

While the DPO plays a vital advisory and monitoring role in the management of data breaches, ensuring that the organization complies with GDPR requirements, there are specific actions they should not undertake, to maintain their independence and avoid conflicts of interest: 

• Reporting to supervisory authorities: the DPO should not be the one to formally report data breaches to the UODO on behalf of the organization. This responsibility lies with the data controller.
• Notifying data subjects: the DPO should not be responsible for notifying data subjects about a data breach. This task should be carried out by the controller.
• Decision-making on breach response: the DPO should not take decisions regarding the specific actions to be taken in response to a data breach. Their role is to advise and support, not to execute or decide on the measures.
• Signing and sending reports: the DPO should not sign or send breach notification reports to the supervisory authority. This should be done by the controller or an authorized representative.
• Acting on behalf of the organization: the DPO should not act on behalf of the organization in matters related to data breach management, such as making commitments or taking actions that could compromise their independence.

Practical examples and case studies to help controllers identify and manage data breaches

The guide explains the differences between a data breach and a violation of the GDPR, and the criteria for determining the roles and responsibilities of controllers, processors and DPOs.

The guide also provides more examples and case studies of data breaches, illustrating different types of incidents, as well as their possible causes, consequences and remedies, that help controllers understand how to apply the procedures in real-world scenarios. These examples illustrate:

• Types of breaches: different types of breaches, such as unauthorized access, data loss, and data corruption are explained with real-life examples.
• Response strategies: effective strategies for containing and mitigating the impact of breaches are demonstrated through case studies.
• Lessons learned: each example concludes with lessons learned and best practices to prevent similar incidents in the future.

The importance of cooperation with the UODO and other supervisory authorities 

The guide stresses the importance of cooperation with the UODO and other supervisory authorities in the event of a data breach, especially when it has a cross-border dimension. The guide explains the rules and procedures for identifying the lead supervisory authority, notifying the data breach, providing additional information and following the instructions and recommendations of the supervisory authorities. The guide suggests that this cooperation is crucial for several reasons:

• Compliance and accountability: working closely with supervisory authorities ensures that controllers comply with legal requirements and demonstrate accountability.
• Expert guidance: supervisory authorities can provide expert guidance and support during breach investigations and remediation efforts.
• Transparency and trust: transparent communication with supervisory authorities helps build trust with the public and affected individuals, showing that the controller is taking the breach seriously and acting responsibly.

The key recommendations regarding risk assessment and prevention of breaches

The guide advises controllers and processors on how to prevent data breaches by applying a risk-based approach and implementing appropriate technical and organizational measures, such as data protection by design and by default, pseudonymization and encryption, backup and recovery, security testing and auditing, staff training and awareness, and incident response plans. 

The updated guide provides a comprehensive list of technical and organizational measures that controllers and processors can implement to prevent data breaches. The guide also refers to the relevant legal sources and guidance documents for further information. 

The updated guide is available on the UODO website (in Polish only).