On the 18th of January 2021, the European Data Protection Board (EDPB) adopted new guidelines regarding data breach notification, introducing more practice-oriented guidance and recommendations . The guidelines state that data breaches need to be reported within 72 hours upon discovery. Under specific situations the national serving authorities and the data subjects should also be notified of the breach. Data breaches have become more frequent in recent years and personal information is often involved in such incidents. This can lead to GDPR violations on top of the new guidelines adopted by EDPB, which can result in significant financial hits, as well as reputation damage and fines up to EUR 10 million or 2 percent of the company's global annual turnover can be imposed .
A recent example of such an incident is the data breach at GGD , where private information leaked of people either tested for or vaccinated against COVID-19. The compromised system contains the names, addresses and dates of birth of about 5.5 million people [2, 3]. Another example is the data breach at housing corporation Stadgenoot, during which personal information of around 30,000 people that expressed interest in buying or renting homes and parking places was exposed .
After a data breach incident, companies need to investigate:
- when the breach has occurred;
- what data has been leaked; and
- whether personal identifiable information (PII) was included in that data.
The incident reporting process is largely impacted by whether the leaked data is structured (e.g. an Excel spreadsheet), or unstructured (e.g. emails, texts and images), whereby unstructured data is the more complex data type to investigate and react on. According to Forbes, unstructured data is growing at a rate of 55 to 65 percent per year , while it already makes up 80 to 90 percent of the overall digital data universe . Due to the increasing complexity of company data infrastructure and data volume, especially regarding unstructured data, the reporting process of a breach can be challenging.
When facing challenges on reporting breaches of unstructured data, Electronic Data Discovery (eDiscovery) solutions can be of enormous help to:
- quickly identify which data sources are leaked;
- fast and efficiently scan the leaked PII;
- redact existing files to eliminate the risk of PII exposure in such incidents.
All in all, eDiscovery solutions can both help you speed up the data breach response process and be future proof on PII data compliance.
For more information on how eDiscovery can help with data leakage incidents please contact:
Patrick Özer, Partner KPMG Forensic Technology
Joyce Pebesma, Consultant KPMG Forensic Technology
Yinuo Wang, Consultant KPMG Forensic Technology