Security breaches and GDPR: What's new


The management of security breaches is undoubtedly one of the most important new features of the GDPR. A year ago we already published a post where we explained what to do in case they occurred in your company or startup, but certainly the reality of this last year requires an update of the content.

What to do in the event of a security breach?

The basic obligations in the face of any security breach, according to the GDPR and as we recommended in November 2019, are three:

  1. Record and internally manage the security breach. This requires having an internal protocol so that security breaches are communicated to the responsible and they document what steps have been followed in order to minimize their impact. This last point is very important because sometimes companies do not have a real and effective capacity to prevent an attack or a security breach, but they have a say to decide how they respond to it. This is a factor that the Spanish Data Protection Authority (“AEPD”) values ​​highly in the event that the breach ends up in a sanctioning procedure.
  1. Analyze if the breach should be communicated to the AEPD. This is one of the important novelties of the GDPR and it is that the obligation to communicate data breaches to the AEPD is introduced; the only exception is that this breach is unlikely to create risks for affected people (for example, if data was encrypted). In all other cases, communication is mandatory within 72 hours after the incident was known. This is not just any factor because many times companies know about the incident even months after it has occurred.
  1. Analyze whether the breach needs to be communicated to affected people. In the most serious cases (theft of credentials or breaches that may imply identity theft) communication to those affected is required.

In relation to these last two important points, we add here an important novelty and it is the recent publication by the AEPD of a questionnaire that allows deciding if communication is necessary to the AEPD itself and to those affected. By answering a few brief questions, you can have an orientation on how to act.

Security breaches

Are there fees for not reporting security breaches?

In November 2019, there were still no sanctions in Spain for not communicating security breaches. In July 2020, a € 3,600 sanction was published for failure to notify to the AEPD a security breach.

The penalty was € 6,000 but it was reduced since the responsible paid voluntarily. The specific case is a computer attack on a company through which the attackers obtained the personal data, such as email, of the clients of that company, sending them emails to obtain more information about them for fraudulent purposes.

These attacks are becoming more frequent.

Security breaches and COVID19?

This year 2020 will be sadly remembered by COVID19; among many other consequences, one of them is that companies have entrusted their continuity, on many occasions, to “new” digital providers and teleworking.

Both cases, regardless of their advantages, can be a source of “new” security breaches.

New providers and tools

As we say, given the impossibility of performing most of the tasks in person, companies have implemented new tools to continue working: video calls, electronic document signature systems, contracts, etc.

These tools, for the most part, are managed by new suppliers for companies and if we put “in their hands” part of their production processes and the personal data that are handled in them, companies must be aware that breaches or incidents can happen to them.

That is why it is very important to ensure the breach communication policy from suppliers to their clients, so that they, in turn, comply with the requirements of the GDPR.


The phenomenon of teleworking has experienced unprecedented growth in 2020.

With its undeniable advantages, teleworking is not without new risks: access to personal data from workers’ homes, with security measures not controlled by companies, is undoubtedly the greatest of them.

Any incident that occurs in these circumstances must be known and controlled by the company and treated as if it had occurred in the company itself.

Security breaches are one of the new challenges of the GDPR and how to manage them is undoubtedly a situation that companies must address efficiently and according to their structure and organization.

If you need to review or implement your internal security breach management protocol, contact with us.

The legality of your company,
in the best hands

(+34) 692 14 05 71