Swedish DPA Advises on Personal Data Breaches and the Dark Web
The Swedish Data Protection Authority (DPA) responded Wednesday to what it said were "many questions" about how data controllers should handle situations where cyberattacks on data have led to publication of personal data on the dark web.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The advisory comes in the wake of a massive data leak in late August involving IT systems supplier Miljodata and reportedly affecting some 15% of Sweden's population. Data from the breach was possibly leaked to the dark web, according to media reports. The country's DPA said it's not yet able to determine whether the General Data Protection Regulation was violated or by whom.
It stressed that organizations shouldn't try to download information from the dark web because that amounts to new personal processing and can also contribute to further dissemination of the data.
If the personal data breach is likely to lead to a high risk to people's rights, the organization must inform the data subjects of the breach without delay, the watchdog said.
In such cases, the breached organization must clearly describe the nature of the incident and supply data subjects with contact details of data protection officers. They must also describe the likely consequences of the breach and what measures the organization has taken to remedy the incident or mitigate its potential effects.
When it would take a disproportionate effort to inform all the data subjects individually, organizations in exceptional cases can inform the public in a way that enables people to protect themselves against harm, the DPA said.
Data subjects should heed advice from the data controller and consider what personal information may have been exposed and what they can do to limit damage.
If protected personal data has leaked, it's important that those affected understand what has happened and measures they should take. Data subjects should also be alerted to the risk that someone might use their data to deceive them, the DPA said.
The main responsibility for data leaks lies with the controller, it said. However, the fact that a breach has occurred doesn't mean that the controller or processor has failed in their responsibilities. Under the GDPR, personal data must be processed in a way that ensures a level of security appropriate in relation to the risk to the data, the watchdog noted.