The classics of a data protection incident are the sending of a confidential email containing personal data to the wrong recipient or the loss of an unencrypted USB stick containing sensitive data.
When the first data protection breach occurs, the wrong recipient will probably quickly point out that something has gone wrong here. And from this point on, the reporting period of 72 hours starts, because such incidents are generally reportable according to Art. 33 GDPR – even if the wrong recipient assures to have deleted the mail immediately and haven't read the content completely. The responsible party has to report this to the competent supervisory authority and, depending on the content of the mail, also to the data subject.
It becomes more difficult if a data protection breach becomes known at a significantly later point in time than it occurred. Has the responsible party then automatically exceeded the reporting deadline? And does that mean there is a risk of fines? No.
After all, Article 33(1)(1) GDPR states that "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach ...".
This means, as so often, that the specific individual case is decisive as to when the clock starts ticking for a reportable incident. If there is only a vague suspicion at first, this must be examined immediately, but is not reportable at that point. However, as soon as there is a "reasonable degree of certainty" of a data breach, it must be reported to the responsible supervisory authority and, depending on the level of difficulty, also to the data subject.
In the case of the lost USB stick that is recovered, the reporting period starts as soon as the incident becomes known to the responsible party. However, this only applies if the data was not sufficiently encrypted. If the data was encrypted, the incident does not have to be reported.
The problem with the tight reporting deadline is therefore not so much the time of the incident, but rather the definition of when the responsible party becomes aware of it. There is currently no uniform regulation by the supervisory authorities regarding the time at which the person responsible can be considered to have knowledge of a data protection incident. Does this person need to have personal knowledge of the incident? Or is it sufficient if any person in the company becomes aware of the incident for the reporting deadline to start?
If we look at the statements of the data protection supervisory authorities to date, we should definitely assume that it is not necessarily personal knowledge that counts, but already the fact that certain functional units or function holders become aware of an incident. A binding statement on the start of the deadline for data protection incidents is not yet possible.
Bottom line: Only sufficient sensitivity of all employees and comprehensive risk awareness in the company can protect against unpleasant consequences in the case of a data breach.
At REISSWOLF, we frequently and intensively train all our employees on this topic. And if you like, you too can learn more about this in our German-language webinar "Meldepflicht von Mitarbeitern bei IT-Sicherheits- und Datenschutzvorfällen" (Eng.: "Employees' obligation to report IT security and data protection incidents").