Despite all the best will in the world and processes in places, data breaches can happen. It can be as simple as a lost USB with patient information or a more sustained hacking attempt which affects only your clinic or you as part of a wider organisation which has been maliciously attacked.
Informing the supervisory body.
The most important point is that you have 72h to inform the supervisory body as soon as you are aware of the breach as per Article 33. If you don’t do this within 72h, you must give reasons as to why this wasn’t done. The information you will need to provide is:
- Nature of the breach:
- Categories of data subjects
- Numbers of data subjects.
- Numbers and categories of data records affected.
- Data protection officer contact details as well as those of other people who may be able to give relevant information.
- Explain the potential consequences of this breach.
- Explain what you have done so far and what you plan to do to mitigate the effects of the breach.
Informing the patient.
Once you have informed the supervisory authority, you need to notify the person whose data has been breached (data subject) in clear and plain language. As per Article 34, you do not need to inform the patient if:
- The data was encrypted or used other methods to ensure that it is unintelligible to persons not authorised to access it.
- The data controller has taken extra measures to ensure the risks of the data breach are not likely to materialise.
- It would involve a disproportionate effort. Public communication would be the alternative in this case.
If the supervisory authority feels that this is a high-risk situation and you have not informed your patient/data subject, they make take on the task of informing patients about the data breach and its potential consequences.