Data leaks & data breaches: These rules must be observed according to the GDPR
A violation of the protection of personal data is defined in the GDPR as a “breach of security leading unintentionally or unlawfully, to the destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This therefore includes both a data leak, where there is a possibility that third parties could access personal data stored by you, and a data breach, where unauthorized third parties have intentionally accessed data.
In Article 33 (1) of the GDPR, the legislator specifies what must be done in these cases. It states that a violation of the protection of personal data must be reported to the local supervisory authority without delay, which means that you must comply with a deadline of 72 hours. In addition, all cases must be logged internally. Which authority you need to contact varies from country to country. In Germany, there is one competent supervisory authority per federal state.
Additionally, if there is a “high risk to personal rights and freedoms” as a result of the violation, all affected individuals must be notified without exception. This high risk arises from data leaks or breaches of financial or medical data, which can be credit card or bank account data, for example.
However, if “only” contact information is affected, such as names, e-mail address or address, notification is not absolutely necessary. However, it should be noted that if a large number of individuals are involved, the affected individuals must also be contacted in addition to the supervisory authority.
The aforementioned 72-hour time limit for reporting a violation of the protection of personal data begins from the time a data controller becomes aware of the personal data violation. Therefore, if you come across a circumstance involving personal data in your company, and you are unsure whether it is a violation of the protection of personal data, you should first check the incident carefully. If you then know after the examination that this is actually the case, the time limit begins.
Personal data breach or leak according to the GDPR: What must be reported
In this regard, the law specifies what information you must provide to the supervisory authority. According to Article 33 of the GDPR, you must notify the authority of the following:
- A description of how the protection of personal data has been breached by you, the number of data subjects, the number of data sets, as well as the category of the violation of the protection of personal data
- The contact details of your data protection officer or the person who is responsible for it
- A description of the possible and likely consequences of the violation
- A description of the steps you have taken against the violation
This may require notifying the data subjects, as mentioned above. This can be done by letter, email or SMS.
Dealing with a violation of the protection of personal data in Jira and Confluence
The two software products Jira and Confluence from Atlassian are enjoying great popularity across Europe. With the great advantages of the software, which enable an agile workflow in project management, there are of course also risks associated with the storage of personal data. However, these risks can be eliminated in no time with a few simple tricks.
The simplest solution for all data protection use cases in Jira and Confluence are the apps “Data Protection and Security Toolkit for Jira/Confluence“. These apps allow you to prevent personal data breaches and leaks in advance. If it already happens and there is a data leak or breach, you can react to it quickly and fix it.
In the event that personal data has already been compromised, this can be remedied by the following steps:
1. If you notice that there is a violation of the protection of personal data the app’s “Data Cleaner Module” is the first place to go. Here you can find all stored and processed personal data such as email addresses, phone numbers, social security numbers, credit card numbers, etc. through a simple JQL query.
2. Once you have found the affected data, you can apply various actions to them. One of the actions is extremely useful in the case that there is a “high risk to personal rights and freedoms” for personal data involved, because then you need to notify the data subjects by letter, SMS or email. For this purpose, the app has the function: “Send notification email”. This allows you to create an email template in the app, which you can then send to all data subjects, fulfilling your obligation to notify them.
3. The next step is to use the app function “Permission Monitoring”. After you have found all affected information in Jira tickets and Confluence pages in the first step, you can view all permissions to access the underlying data. You can edit these in the app to avoid possible access by third parties again. You can also view the entire history of access to the data in the app, allowing you to see if anyone has accessed the data and data may have leaked out. Afterwards you can anonymize or, if necessary, delete the data.
4. In the event of a violation of the protection of personal data, you must immediately report the data breach or leak to the local supervisory authority. We have listed the information you must provide to them in the last section. When describing the actions you took, you can mention the actions taken in steps 1 to 3.
By following these steps, you have handled the violation of the protection of personal data in compliance with the law.
Prevent data breaches and leaks with Data Protection and Security Toolkit for Jira and Confluence
To prevent the violation of the protection of personal data from happening in the first place, the app has other useful features for you: data rules. With these, you can define data processing rules to ensure that you don’t miss any personal data that needs to be cleaned (or even deleted). To learn how to use these data rules in practice, watch our short product video:
With the help of this tool, you do not have to worry about plugging data leaks or breaches in Jira or Confluence, because you don’t let them happen in the first place.
Personal data breaches and leaks in Jira and Confluence: a conclusion
Data protection in Jira and Confluence may seem inscrutable to you at first, but with the help of the right tool it can be done in no time. Thanks to our article, you now know all the steps you need to take just in case of a data breach or leak and which tool will help you in Jira and Confluence: Data Protection and Security Toolkit for Jira und Confluence. Because our app not only helps you when it’s already too late, but also prevents data leaks and breaches in advance. This makes your company’s work on data protection much easier and lets your data protection officers sleep in peace again.