Online training on „What to do in case of data breach?” organised by the Bulgarian Industrial Capital Association and the CTeam Group took place on 14 October 2021. Pre-registered participants, most of them private business representatives, attended the training through a remote platform.
The training speakers were representatives of the Personal Data Protection Commission, the Chairman Ventsislav Karadjov, the Commission member Mr Tsanko Tsolov, and officials from the Legal Analysis, Information and Control Activities Directorate. The aim of the training was to discuss the actions of all actors involved in the data protection process in the event of data breach – controllers, processors, supervisory authority (CPDP), natural persons.
The organisation, coordination and implementation of personal data protection trainings are one of the principal powers and duties of the CPDP. Such trainings take place on a territorial and sectoral basis and take into account the specific interests and concerns of attendees.
Mr Ventsislav Karadjov, the CPDP Chairman, opened the seminar by presenting the CPDP’s priorities regarding personal data protection, in particular those related to data breaches.
It was explained to the participants what is meant by „security of personal data processing”, when a data breach occurs, and what are the types of breaches. The sequence of actions to be taken by a data controller in the event of personal data breach was summarised. It was explained why the notification under Article 33 of Regulation (EU) 2016/679 should be considered an important tool to strengthen compliance with the data protection requirements of the Regulation. The conditions requiring a notification to the supervisory authority in case of a personal data breach and the obligations of controllers, processors and joint controllers were examined. A separate presentation discussed the conditions requiring notification to the affected data subjects, in accordance with Article 34 of Regulation (EU) 2016/679, which lays down the conditions under which notification of a security breach to data subjects is required or allowed. The form and the minimum content of the notification to the data subjects affected by the breach were indicated. Attention was drawn to the fact that the proper behaviour of the data controller is to open the information to the affected persons, since the informed natural person may also take measures to supplement those already taken by the data controller.
Technical and organisational measures were discussed to minimise the likelihood of occurrence of a breach, as well as measures to be taken in the event of a data breach.
The form adopted by the CPDP for a Data Breach Notification on the basis of Article 33 of Regulation (EU) 2016/679 or Article 67 of the PDPA was presented during the seminar. Such form is optional, but advisable so that to avoid subsequent requests for additional information, as well as to uniform notifications submitted to the CPDP. The form is published on the Agency website.
The assessment of the risk arising from the occurrence of a data breach is an important factor in the follow-up actions of both the controller and the CPDP. Two separate presentations addressed the topics of the risk assessment made by the controller and the risk assessment made by the CPDP upon receipt of a notification of a breach. The participants in the training were informed of CPDP’s risk assessment methodology, which is an internal document supporting the handling of security breach notifications received by the CPDP. It was pointed out that a proper risk assessment is essential for CPDP’s further action regarding the handling of a notification.
The issue of documenting any data breach, including the facts relating to the breach, its consequences and the actions taken to handle it, was addressed. Each controller must have plans and procedures in place for responding possible data breaches, reporting and persons responsible in the recovery process.
The participants in the training were informed of the administrative process carried out by the CPDP upon the receipt of a notification of a data breach: the procedure for handling it, the tools used, how a decision is taken, what the consequences are.
After 10 presentations clarified the key concepts, the actors in the process and their obligations when a data breach is identified, a separate panel dealt with cases of different types of breaches, actions taken by the controller, notification of a data breach, and actions taken by the supervisory authority following a risk assessment for data subjects. The participants in the seminar were given the floor to ask questions and competent clarifications were made accordingly.