Data Breach Severity

How is data breach severity calculated under the GDPR regulator?

It’s not a math calculation and it will depend on the regulator. The regulator will look at some points:

DOWNLOAD OUR FREE EBOOK

  • Type of breach. Whether the breach involves the disclosure of personal data (a “confidentiality breach”), loss of access to or destruction of personal data (an “availability breach”), and/or alteration of personal data (an “integrity breach”) can affect the risk to data subjects.
  • Nature, sensitivity, and volume of personal data. The Guidelines state that breaches involving sensitive personal data – including “special categories” of data relating to racial or ethnic origin, political opinion, sexuality, religious or philosophical beliefs, trade union membership, health or genetic data, or criminal convictions, and other sensitive data such as identity documents or financial data – are more likely to be high-risk. Breaches involving a combination of personal data are typically riskier than those involving only a single piece of (non-sensitive) personal data.
  • The severity of consequences for individuals. The Guidelines point to identify theft, fraud, physical harm, psychological distress, humiliation, and damage to reputation as particularly severe potential consequences. The permanence of any consequences and, in the case of a confidentiality breach, trustworthiness or malice of the unauthorized recipient of personal data are also factors to consider.
  • Number and characteristics of affected individuals. The Guidelines note that the impact of the breach is likely to be greater where a higher number of individuals are affected. Breaches that affect children or other vulnerable individuals may be higher-risk than those that do not.
  • Ease of identification of individuals from the affected personal data, including whether data are pseudonymous.

Data Breach Severity How does the regulator calculate it 1

What should you do on data breach severity?

But, the most important is to show that your company did their best:

  • did you notify the data breach regulator 72 hours after having become aware of it?
  • Did you record the data breach?
  • Are you working with data privacy by design and data privacy by default?
  • Did you do a DPIA?

Notification of data breaches under the GDPR – 10 Frequently Asked Questions