Data protection breaches affect companies of all sizes – whether through external attacks or everyday mistakes. There is always an urgent need for action, because in addition to high fines under Art. 83 GDPR and claims for damages, this can result in reputational damage and loss of trust.
You should always inform your data protection officer immediately, as data breaches must often be reported to the competent data protection supervisory authority within 72 hours.
Below you will find an overview of typical scenarios with the recommended immediate measures in each case:
Incorrect sending of e-mails
A classic scenario is an email that is accidentally sent to the wrong recipient. If the message contains personal data, a data breach has already occurred.
- Immediate action: Ask the recipient to delete the message immediately and have the deletion confirmed.
- Prevention: Use the “BCC” function and always check the address field. It is sometimes technically possible to recall emails.
Cyber attacks and encryption Trojans
External attacks remain the biggest threat in the digital sector. Ransomware, for example, can encrypt and paralyze entire systems. Attackers usually try to extort ransom money.
- Immediate action: Disconnect affected systems from the network immediately, analyze vulnerabilities, reset computers and restore data from backups. Authorities advise against paying ransoms.
- Prevention: Regular updates and patches, up-to-date virus protection, a restrictive rights and roles concept and binding rules for handling email attachments.
Phishing and data theft
Many attacks are based on deception: employees disclose access data under pressure or through fake emails. It is also not uncommon for fake invoices to be sent and then paid by mistake.
- Immediate action: Change password immediately, determine extent of misuse and secure accounts, carefully check invoices, especially for conspicuous IBAN details.
- Prevention: Two-factor authentication, regular employee training on phishing patterns, spam filters and clear reporting channels for suspicious cases.
Loss of data carriers
Whether it’s a USB stick, laptop or file folder – the loss of physical data carriers happens time and again. There is a risk of sensitive data being leaked to unauthorized persons.
- Immediate action: Activate remote deletion for electronic devices and contact the police if theft is likely. In the case of files, document the loss and reconstruct the contents as far as possible so that countermeasures can be initiated.
- Prevention: Encryption of mobile data carriers, clear rules for carrying and storing them and the mandatory use of lockable containers.
Unauthorized access by employees
Internal data breaches are also not uncommon. Employees view data for private purposes or use it outside the scope of work.
- Immediate action: Log data access, document the incident, check labor law steps.
- Prevention: authorization concepts, binding commitment to data confidentiality, individual user IDs and regular awareness training on possible consequences.
Data processing without a legal basis
Time and again, personal data is processed without a sufficient legal basis. For example, data is published (e.g. on the website) or used for another purpose (e.g. for unsolicited newsletters).
- Immediate action: Processing must be stopped immediately, e.g. the publication must be deleted immediately.
- Prevention: Guidelines for handling data, training of employees, introduction of a dual control principle before publications, clear rules for checking legality.
Conclusion
Data breaches are common. The right way to deal with them is crucial: Employees should report them immediately and confidentially to their line manager. It is generally helpful if the company not only has technology in place, but also has clear processes, training and responsibilities. For managing directors, this means creating structures that are both legally compliant and practical.
