GDPR breach assessment calculator
Has your company experienced a breach? Are you wondering whether to notify the President of the Polish DPA? Do you have doubts about whether to inform the data subjects? Or maybe it’s not that serious and it is enough to disclose it in the breach register that you maintain?
Don't worry — we're with you. With our calculator, you'll assess the risks related to a personal data breach and find out what steps you should take.
The calculator has been supplemented with the recommendations and examples indicated in the guide published by the President of the Polish Personal Data Protection Office
The GDPR imposes on the data controller an obligation to report to the President of the Polish DPA personal data breaches that are likely to result in a risk to the rights and freedoms of natural persons. However, it does not provide guidance on how to assess whether such a risk exists. Similarly, with respect to the need to notify the data subject of a breach – the GDPR refers to a high risk to rights and freedoms as the condition for taking the specified action. In this case too, it leaves the risk assessment to the data controller.
To facilitate the difficult task of risk assessment, we present our calculator, which will allow you to perform such an evaluation step by step. The result of the calculator will be reliable only if you complete it with due diligence. In addition, when answering the questions, you should take care to fill in the justification fields, as this positively affects the credibility and transparency of the analysis performed by the data controller.
Remember to take into account the recommendations and previous decisions of the President of the Polish DPA when assessing a breach, in particular when the PESEL number has been compromised. According to our supervisory authority, its unauthorized disclosure, modification or loss very often may be associated with a high risk to the rights and freedoms, which results in the need to report such a breach to the President of the Polish DPA and to notify the data subjects.
Assess whether the breach requires notification
1Breach description
Breach date
When there was a breach.
Indicate the data controller concerned by the breach
The controller is the entity that determines the purposes and means of processing. It is responsible for managing the personal data breach, including any notification to the supervisory authority or informing the data subjects.
Describe in detail what the breach involved
Describe the cause and course of the breach you are analysing.
2Scope of compromised data
Whether normal data have been compromised
Common data are information relating, inter alia, to the identity (e.g. name, internet nickname, date of birth, parents' names), telephony data (e-mail address, telephone number) or correspondence data (residence or correspondence) of the data subject.
Whether personal behaviour data have been compromised
Behavioral data is information relating, inter alia, to the location, trajectory, preferences, tastes or preferences of the data subject.
Whether financial data have been compromised
Financial data is any type of data relating to the finances of the data subject (e.g. income, financial transactions, bank statements, investments, credit card numbers, invoices, etc.). This category also includes information about social assistance and material support.
Whether data of a particular category have been compromised
Special category data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, or data relating to criminal convictions and offences.
3Factors affecting the risk level
Large number of persons whose data have been compromised
Choose this value if the breach you're analyzing affects more than 100 people.
A wide range of data on individuals
When assessing whether a wide range of data is involved, consider the amount of information covered by the breach. For example, disclosure by an internet service provider of browsing history from one year instead of one week may indicate a broad breach. Similarly, disclosure by a bank of a full credit application, rather than just one attachment, should also be treated as a breach involving a wide range of data.
Specifications of data subjects
The specifics of the data subjects relate to their characteristics, life situation or special needs that may increase the risk of infringement of their rights and freedoms. telephone number of Members of Parliament or employees of the Ministry Carries a higher risk than a phone number the grocery store workers.
The level of risk is also affected by the particular nature of the persons concerned. an incident — in particular where the breach concerns children, persons the elderly, people in need of support or in In such cases, the effects of the breach They can be more serious, and their ability to do things on their own. the protection of their rights limited.
Specifics of the data controller
The specifics of the data controller refer to its business profile, which may increase the risk of violating the rights and freedoms of the data subject. For example, disclosing data about customers of a pharmacy or psychiatric clinic carries a higher risk than disclosing data about customers of a stationery shop.
Specific nature of the data
The specific nature of the data should be understood as a factor affecting the risk level through the character and context of the information that was breached. For example, losing a medical certificate containing only information about the good health of the data subject, despite disclosing special category data, will not multiply the risk because the event does not affect that person's situation.
Public availability of data before the breach
Examples: general availability of data before the breach or ease of collection (e.g. through KRS, CEIDG or social media).
Data up to date / substantive correctness
For example, a list of postal addresses for which letters cannot be delivered to specified recipients may indicate that data on the persons residing at that address are not up-to-date.
Trusted recipient
A trusted recipient is an entity that accidentally received data personal, but on the basis of previous positive cooperation with the administrator can be regarded as trustworthy. there is reasonable assurance that the recipient will respond appropriately to the incident and take action to reduce the risk of infringement; the rights or freedoms of data subjects.
In order for the administrator to recognise the unauthorised recipient as "trusted", at least the following conditions must be met:
- there is an ongoing relationship with the recipient (e.g. close cooperation business or membership of the same structure organisational structure),
- the administrator has knowledge of the relevant aspects; the functioning of the recipient, in particular its procedures; safety and previous positive history cooperation especially in similar situations.
The concept of a trusted beneficiary supports a more precise risk assessment. Although the existing relationship may alleviate the the assessment of the effects of the breach on data subjects, It affects the very fact of classifying an event as a personal data breach of personal data protection.
A trusted recipient may include:
- another department in the administrator structure,
- a proven, long-standing supplier,
- a professional processor who cooperates closely with an administrator and compliance with high standards It's security.
4How do you assess the likelihood of identification of the individuals concerned?
How do you assess the likelihood of identification of the individuals concerned?
Example: the lowest probability of identification value is given when the possibility of identifying a person is negligible, meaning that it is extremely difficult to match data to a specific person, but it may still be possible under certain conditions.
the highest score is chosen when identification is possible directly from the infringed data without the special examinations necessary to identify the person.
Example — the breach concerns data: first name and surname. The degree of probability may vary from case to case, as certain data will not always in themselves uniquely identify a specific person. For example, when identification is carried out using a person's first name and surname:
- 0.25 (low probability of identification) in a country with a large population where many people share the same name.
- 0.5 (average likelihood of identification) in the population of a given country where few people share the same name.
- 0.75 (high probability of identification) in a small town's population, where few or no individuals share the same name and surname.
- 1 (high risk of identification) in the population of a given country, taking into account other relevant data concerning the breach, for example date of birth and email address.
Select an answer
5What was the nature of the breach?
Loss of confidentiality - data disclosed
For example, a loss of confidentiality occurs when access is obtained by persons or entities who are not authorised or have no legitimate purpose of having such access.
Select an answer
Loss of integrity - data amended
For example, the loss of integrity occurs when the original information is changed and the processing of the data thus modified may be detrimental to the person.
Select an answer
Loss of availability - data not available
For example, a loss of access occurs when personal data cannot be accessed when it is needed; it can be temporary (data can be retrieved only after a certain period of time) or permanent (data cannot be retrieved).
Select an answer
Intentional (targeted) action by the offender
Examples: cases of theft and burglary, in order to cause harm to individuals (e.g. by disclosing their personal data); passing on personal data to third parties for profit (e.g. selling a list of personal data).
Select an answer
Disclaimer
The methodology adopted to create this calculator takes into account the recommendations contained in the publication European Union Agency for Network and Information Security (ENISA), 2013, Recommendations for a methodology of the assessment of severity of personal data breaches. Any breach or suspected personal data breach should be analysed individually, in particular in the performance of duties defined in Articles 33 and 34 of the GDPR. Therefore, this calculator may constitute at most an additional auxiliary source and cannot be an independent basis for decision-making by any entity or person who uses the calculator on their own responsibility. ODO 24 sp. z o.o. shall not be liable to any entity or person for any indirect or direct consequences of using the calculator, in particular in the form of damage, the obligation to pay compensation or redress, administrative penalties imposed, loss of benefits or other negative consequences.
The data entered into the calculator is not collected or stored by ODO 24. The tool works only on the user side – all information remains exclusively on your device and is not transmitted to our servers.
Risk assessment
Risk level
Low
What should I do?
Breach weight calculator
What is a personal data breach?
A personal data breach is a situation in which the personal data managed by a company or organisation are improperly disclosed, lost, stolen or otherwise used without the consent of the person to whom the data relate. This can occur in various ways — for example, when someone breaks into the company's IT system and copies the data, when an employee accidentally sends an e-mail containing the data to the wrong person, or when documents containing data are lost or stolen.
A personal data breach is a serious problem because it can lead to an invasion of the privacy of the individuals whose data are affected. For example, if your personal data, such as your name, address or telephone number, fall into the wrong hands, they may be used for purposes for which you did not give consent, such as unsolicited marketing, fraud, or even identity theft.
That is why it is so important for companies and organisations to properly secure the data they manage and to comply with the GDPR. In the event of a personal data breach being detected, they must notify the Polish Personal Data Protection Office and often also the individuals whose data were breached.
What are the most common personal data breaches?
Data protection breaches can occur in many different forms; the most common include:
- •Hacker attacks - These are situations in which cybercriminals breach computer systems to steal personal data. This may include tactics such as phishing, ransomware, man-in-the-middle attacks, and others
- •Employee errors - data breaches often result from mistakes made by employees. This can include sending personal data to incorrect email addresses, losing devices containing personal data, or failing to secure a computer against unauthorised access.
- •Inadequate safeguards - If an organisation lacks appropriate safeguards, there is a high likelihood that personal data may be stolen. This may include lack of data encryption, absence of network protections, or lack of information security policies.
- •Physical break-ins - In some cases criminals may physically break into a building to steal equipment containing personal data, such as computers or hard drives.
- •Spoofing and phishing - These attacks involve impersonating trusted individuals or organisations to persuade victims to disclose their personal data.
- •Malware and spyware - These are software programs that can be installed on a victim’s computer without their knowledge and then collect and transmit personal data.
- •Breaches by third-party vendors - Sometimes personal data may be breached by third-party vendors who have access to the data.
What to do in the event of a personal data breach?
If a personal data breach occurs, the following steps should be considered:
- •Identify and understand the breach: The first step is to understand what happened. Was it a hacker attack, an employee error, or a problem with system security? What data were affected?
- •Minimise damage: If possible, take immediate action to minimise damage. This may include changing passwords, disconnecting the affected computer from the network.
- •Conduct an investigation: Carry out a detailed investigation to determine how the breach occurred and how similar incidents can be prevented in the future.
- •Implement remedial measures: Based on the investigation findings, implement fixes to your procedures and systems to prevent similar breaches in the future. This may include staff training, improving IT security measures, or introducing better data management procedures.
- •If necessary, report the breach to the supervisory authority: Consider the necessity of reporting the breach to the supervisory authority in light of Article 33 GDPR. In Poland, the supervisory authority is the President of the Personal Data Protection Office. As an aid, you can use the ODO 24 Breach Severity Calculator.
- •If necessary, notify the data subjects: If the breach is likely to result in a "high risk to the rights and freedoms of natural persons", those data subjects should be informed. The scope of information required in the notification is specified in Article 34 GDPR.
Within what time frame should a personal data breach be reported to the President of the Polish Personal Data Protection Office?
Pursuant to Article 33(1) GDPR, a personal data breach should be reported to the President of the Polish Personal Data Protection Office no later than 72 hours after becoming aware of the breach.
It should be remembered that the Article 29 Working Party (now the EDPB) envisaged a timeframe for carrying out an "investigation" (time to examine the incident and determine whether a breach has occurred).
How should data subjects be informed of a breach?
Pursuant to Article 34 GDPR, if a personal data breach is likely to result in a "high risk to the rights or freedoms of natural persons", the data controller is obliged, without undue delay, to notify the data subjects of the breach.
The notification should include, among other things, a description of the incident, contact details, possible consequences of the incident, recommendations to minimise potential effects, and information on the measures taken by the controller.
Communication should be carried out directly, e.g. by e-mail, letter, or telephone, unless this is not feasible or would require disproportionate effort. In such cases it is permissible to use a public means of communication, e.g. the press, television or the internet.
Does the President of the Polish Personal Data Protection Office impose penalties for personal data breaches?
Yes, the President of the Polish Personal Data Protection Office is entitled to impose financial penalties for breaches of personal data protection. A penalty may amount to up to €20 million or up to 4% of the total worldwide annual turnover for the previous year, whichever amount is higher.
The amount of the penalty depends on many factors, such as: the type of breach, whether the breach was accidental or deliberate, what steps were taken to prevent the breach, whether the breach was reported to the authority, how many individuals were affected and what data were breached. Before imposing a penalty, the President of the Polish Personal Data Protection Office conducts proceedings during which these factors are assessed.
What are the consequences of a data protection breach?
Consequences of a data protection breach can be very serious, here are some of them:
- •Financial penalties: Penalties can amount to up to €20 million or up to 4% of the enterprise's annual global turnover - depending on which amount is higher.
- •Reputation: A data protection breach can seriously jeopardise a company's reputation. Customers may lose trust in a company that failed to protect their personal data. This means they may decide not to use its services or products in the future.
- •Loss of business: As a result of loss of customer trust, the company may experience a decline in sales or loss of customers. Business partners may terminate commercial contracts if the company is unable to provide an adequate level of data protection.
- •Costs associated with the breach: These may include, for example, costs of repairing IT systems, legal costs, costs associated with notifying data subjects of the breach, or costs related to satisfying reported claims.
- •Costs of remediation: The company may be obliged to implement fixes in its systems and procedures to prevent future breaches, which may also incur costs.
- •Other legal consequences: In addition to financial penalties, other legal consequences may arise, including criminal proceedings.
How can I report a data protection breach?
Cases requiring notification of a data breach are defined in Article 33 GDPR. Notification should be made to the President of the Polish Personal Data Protection Office. In the case of most breaches, the notification should be made no later than 72 hours from becoming aware of the breach. The notification may be made electronically or in writing.
Can I be fined for an accidental data protection breach?
Yes, fines for GDPR breaches may be imposed even in the case of an accidental breach. Regardless of whether the breach was intentional or accidental, the data controller is obliged to ensure the protection of personal data and may be held liable for its breach.
The accidental or intentional nature of the breach will, however, be one of the factors taken into account in the proceedings conducted by the President of the Personal Data Protection Office and may influence, for example, the amount of the penalty.
