ODO24 Logo
ODO24 Logo
ODO24 Logo

Calculator for the seriousness of data breaches (archival version)

Are you wondering if there's been a breach at your company? Are you wondering if you should report it to the CEO of UODO? It's terrible, and it's enough to expose them in the breach registry you keep?

Don't worry — we're with you. With our calculator, you'll assess the risks related to a personal data breach and find out what steps you should take.

current version of the calculatorAssess the breach

The GDPR imposes on the data controller an obligation to report to the President of the Polish DPA personal data breaches that are likely to result in a risk to the rights and freedoms of natural persons. However, it does not provide guidance on how to assess whether such a risk exists. Similarly, with respect to the need to notify the data subject of a breach – the GDPR refers to a high risk to rights and freedoms as the condition for taking the specified action. In this case too, it leaves the risk assessment to the data controller.

To facilitate the difficult task of risk assessment, we present our calculator, which will allow you to perform such an evaluation step by step. The result of the calculator will be reliable only if you complete it with due diligence. In addition, when answering the questions, you should take care to fill in the justification fields, as this positively affects the credibility and transparency of the analysis performed by the data controller.

Remember to take into account the recommendations and previous decisions of the President of the Polish DPA when assessing a breach, in particular when the PESEL number has been compromised. According to our supervisory authority, its unauthorized disclosure, modification or loss very often may be associated with a high risk to the rights and freedoms, which results in the need to report such a breach to the President of the Polish DPA and to notify the data subjects.

Assess whether the breach requires notification

1Information on the data affected by the breach
Basic data are information relating, inter alia, to the identity (e.g. name, internet nickname, date of birth, parents' names), tele-address data (e-mail address, telephone number) or correspondence data (residence or correspondence address) of the data subject
Behavioral data is information relating, inter alia, to the location, trajectory, preferences, tastes or preferences of the data subject.
Financial data is any type of data relating to the finances of the data subject (e.g. income, financial transactions, bank statements, investments, credit card numbers, invoices, etc.). This category also includes information about social assistance and material support.
Special category data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation, or data relating to criminal convictions and offences.
A wide scope of data should be considered in terms of the amount of data covered by the breach, but also the duration of the breach. For example, disclosure by an internet service provider of data on the history of websites browsed by a user over a period of one year (rather than, for example, one week) would have such a character. Another example would be disclosure by a bank of a full loan application (rather than, for example, one of the attachments).
The particular nature of data should be understood as a factor affecting the level of risk through the nature and context of the information that has been breached. For example, the loss of a medical certificate containing only information about the good health of the data subject - despite the disclosure of special category data - will not multiply the risk, because the event that occurred does not affect the situation of that person. An example illustrating the opposite situation will be the compromise of a PESEL number, i.e. theoretically so-called ordinary personal data, which according to the President of the Personal Data Protection Office is as a rule associated with a high risk of violation of the rights and freedoms of data subjects.

The specifics of the data controller refer to its business profile, which may increase the risk of violating the rights and freedoms of the data subject. For example, disclosing data about customers of a pharmacy or psychiatric clinic carries a higher risk than disclosing data about customers of a stationery shop.

The specificity of data subjects refers to their characteristics, life situation or needs, which may increase the risk of violation of their rights and freedoms. For example, the disclosure of the telephone numbers of parliamentarians or ministry employees carries a higher risk than the telephone numbers of grocery shop employees.

The breach may have adverse effects on data subjects, such as identity theft, financial damage, reputational harm, discrimination.
Availability of data means the ability to learn about it through open sources of information (e.g. KRS, CEIDG, Facebook).
The timeliness of data is otherwise their substantive correctness, i.e. certainty that they are consistent with the factual state. For example, a list of postal addresses to which letters cannot be delivered to the indicated recipients may indicate the outdatedness of data about persons residing at the indicated addresses.
2How do you assess the likelihood of identification of the individuals concerned?

The lowest probability of identification value is given when the possibility of identifying a person is negligible, meaning that it is extremely difficult to match data to a specific person, but it may still be possible under certain conditions.

The highest score is chosen when identification is possible directly from the infringed data without the need for special tests to reveal a person's identity.

Example - the breach concerns data - name and surname.

The degree of likelihood may vary from case to case, as certain data will not always in themselves uniquely identify a particular person.

For example, when identification is carried out using a person's name:

  • The likelihood of identification in the population of a given country where many people have the same name.
  • Limited likelihood of identification in the population of a given country where few people have the same name.
  • High probability of identification in the population of a small town where few people have the same surname or no surname at all.
  • Maximum likelihood of identification in a country's population, taking into account other data affected by the breach, e.g. date of birth and e-mail address.
Select an answer
3What was the nature of the breach
The loss of confidentiality occurs when access to data is obtained by persons or entities who are not entitled to do so or have no legitimate aim of having such access.
Select an answer
Loss of integrity occurs when the original information is changed and the processing of the data thus modified may be detrimental to the person.
Select an answer
Access loss occurs when personal data cannot be accessed when it is needed; it can be temporary (data can only be retrieved after a certain time) or permanent (data cannot be retrieved).
Select an answer
Cases of theft and burglary, in order to cause harm to individuals (e.g. by disclosing their personal data); transferring personal data to third parties for profit (e.g. the sale of databases).
Select an answer
Example of completing the calculator – watch video
Advisor
Free consultation

Still unsure whether to report the breach? Ask an advisor

Make an appointment

Disclaimer

The methodology adopted to create this calculator takes into account the recommendations contained in the publication European Union Agency for Network and Information Security (ENISA), 2013, Recommendations for a methodology of the assessment of severity of personal data breaches. Any breach or suspected personal data breach should be analysed individually, in particular in the performance of duties defined in Articles 33 and 34 of the GDPR. Therefore, this calculator may constitute at most an additional auxiliary source and cannot be an independent basis for decision-making by any entity or person who uses the calculator on their own responsibility. ODO 24 sp. z o.o. shall not be liable to any entity or person for any indirect or direct consequences of using the calculator, in particular in the form of damage, the obligation to pay compensation or redress, administrative penalties imposed, loss of benefits or other negative consequences.

The data entered into the calculator is not collected or stored by ODO 24. The tool works only on the user side – all information remains exclusively on your device and is not transmitted to our servers.

Breach severity

Severity assessment

Low – individuals will not be affected by the breach or minor inconveniences have been caused. -

Obligation to notify

No obligation to report the breach.
Breach severity calculator icon

Breach weight calculator

What is a personal data breach?

A personal data breach is a situation in which the personal data managed by a company or organisation are improperly disclosed, lost, stolen or otherwise used without the consent of the person to whom the data relate. This can occur in various ways — for example, when someone breaks into the company's IT system and copies the data, when an employee accidentally sends an e-mail containing the data to the wrong person, or when documents containing data are lost or stolen.

A personal data breach is a serious problem because it can lead to an invasion of the privacy of the individuals whose data are affected. For example, if your personal data, such as your name, address or telephone number, fall into the wrong hands, they may be used for purposes for which you did not give consent, such as unsolicited marketing, fraud, or even identity theft.

That is why it is so important for companies and organisations to properly secure the data they manage and to comply with the GDPR. In the event of a personal data breach being detected, they must notify the Polish Personal Data Protection Office and often also the individuals whose data were breached.

What are the most common personal data breaches?

Data protection breaches can occur in many different forms; the most common include:

  • Hacker attacks - These are situations in which cybercriminals breach computer systems to steal personal data. This may include tactics such as phishing, ransomware, man-in-the-middle attacks, and others
  • Employee errors - data breaches often result from mistakes made by employees. This can include sending personal data to incorrect email addresses, losing devices containing personal data, or failing to secure a computer against unauthorised access.
  • Inadequate safeguards - If an organisation lacks appropriate safeguards, there is a high likelihood that personal data may be stolen. This may include lack of data encryption, absence of network protections, or lack of information security policies.
  • Physical break-ins - In some cases criminals may physically break into a building to steal equipment containing personal data, such as computers or hard drives.
  • Spoofing and phishing - These attacks involve impersonating trusted individuals or organisations to persuade victims to disclose their personal data.
  • Malware and spyware - These are software programs that can be installed on a victim’s computer without their knowledge and then collect and transmit personal data.
  • Breaches by third-party vendors - Sometimes personal data may be breached by third-party vendors who have access to the data.
What to do in the event of a personal data breach?

If a personal data breach occurs, the following steps should be considered:

  • Identify and understand the breach: The first step is to understand what happened. Was it a hacker attack, an employee error, or a problem with system security? What data were affected?
  • Minimise damage: If possible, take immediate action to minimise damage. This may include changing passwords, disconnecting the affected computer from the network.
  • Conduct an investigation: Carry out a detailed investigation to determine how the breach occurred and how similar incidents can be prevented in the future.
  • Implement remedial measures: Based on the investigation findings, implement fixes to your procedures and systems to prevent similar breaches in the future. This may include staff training, improving IT security measures, or introducing better data management procedures.
  • If necessary, report the breach to the supervisory authority: Consider the necessity of reporting the breach to the supervisory authority in light of Article 33 GDPR. In Poland, the supervisory authority is the President of the Personal Data Protection Office. As an aid, you can use the ODO 24 Breach Severity Calculator.
  • If necessary, notify the data subjects: If the breach is likely to result in a "high risk to the rights and freedoms of natural persons", those data subjects should be informed. The scope of information required in the notification is specified in Article 34 GDPR.
Within what time frame should a personal data breach be reported to the President of the Polish Personal Data Protection Office?

Pursuant to Article 33(1) GDPR, a personal data breach should be reported to the President of the Polish Personal Data Protection Office no later than 72 hours after becoming aware of the breach.

It should be remembered that the Article 29 Working Party (now the EDPB) envisaged a timeframe for carrying out an "investigation" (time to examine the incident and determine whether a breach has occurred).

How should data subjects be informed of a breach?

Pursuant to Article 34 GDPR, if a personal data breach is likely to result in a "high risk to the rights or freedoms of natural persons", the data controller is obliged, without undue delay, to notify the data subjects of the breach.

The notification should include, among other things, a description of the incident, contact details, possible consequences of the incident, recommendations to minimise potential effects, and information on the measures taken by the controller.

Communication should be carried out directly, e.g. by e-mail, letter, or telephone, unless this is not feasible or would require disproportionate effort. In such cases it is permissible to use a public means of communication, e.g. the press, television or the internet.

Does the President of the Polish Personal Data Protection Office impose penalties for personal data breaches?

Yes, the President of the Polish Personal Data Protection Office is entitled to impose financial penalties for breaches of personal data protection. A penalty may amount to up to €20 million or up to 4% of the total worldwide annual turnover for the previous year, whichever amount is higher.

The amount of the penalty depends on many factors, such as: the type of breach, whether the breach was accidental or deliberate, what steps were taken to prevent the breach, whether the breach was reported to the authority, how many individuals were affected and what data were breached. Before imposing a penalty, the President of the Polish Personal Data Protection Office conducts proceedings during which these factors are assessed.

What are the consequences of a data protection breach?

Consequences of a data protection breach can be very serious, here are some of them:

  • Financial penalties: Penalties can amount to up to €20 million or up to 4% of the enterprise's annual global turnover - depending on which amount is higher.
  • Reputation: A data protection breach can seriously jeopardise a company's reputation. Customers may lose trust in a company that failed to protect their personal data. This means they may decide not to use its services or products in the future.
  • Loss of business: As a result of loss of customer trust, the company may experience a decline in sales or loss of customers. Business partners may terminate commercial contracts if the company is unable to provide an adequate level of data protection.
  • Costs associated with the breach: These may include, for example, costs of repairing IT systems, legal costs, costs associated with notifying data subjects of the breach, or costs related to satisfying reported claims.
  • Costs of remediation: The company may be obliged to implement fixes in its systems and procedures to prevent future breaches, which may also incur costs.
  • Other legal consequences: In addition to financial penalties, other legal consequences may arise, including criminal proceedings.
How can I report a data protection breach?

Cases requiring notification of a data breach are defined in Article 33 GDPR. Notification should be made to the President of the Polish Personal Data Protection Office. In the case of most breaches, the notification should be made no later than 72 hours from becoming aware of the breach. The notification may be made electronically or in writing.

Can I be fined for an accidental data protection breach?

Yes, fines for GDPR breaches may be imposed even in the case of an accidental breach. Regardless of whether the breach was intentional or accidental, the data controller is obliged to ensure the protection of personal data and may be held liable for its breach.

The accidental or intentional nature of the breach will, however, be one of the factors taken into account in the proceedings conducted by the President of the Personal Data Protection Office and may influence, for example, the amount of the penalty.

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.