An incident at two medical practices in Hamburg illustrates how quickly a break-in can turn into a data protection emergency. After a targeted theft of hard drives containing sensitive patient data, not only did the police have to be informed, but the data protection officer also had to be involved - within 72 hours. According to the GDPR, the data subjects must also be informed directly if there is a serious risk to their rights.
Particularly tricky: Although the stolen data carriers were later returned, the time at which the theft was discovered remains crucial. This is because the reporting and information obligations apply from this point onwards - regardless of whether everything is cleared up later. The report by the Hamburg data protection authority emphasises that even ongoing criminal proceedings do not release companies from their GDPR obligations.
The discussion about the form of notification is also interesting. In this case - with potentially over 100,000 patients affected - the operator initially relied on handing out information leaflets in person at the practice. However, this was not enough for the authority: a public notice on the website was needed. The individual postal notification failed to materialise because many patients had not provided any digital contact details - a circumstance that would hardly ever occur with online companies.
What remains: Anyone working with particularly sensitive data should have clear contingency plans in place - including encryption technologies and realistic information channels. Because when the worst comes to the worst, every hour counts.
Source: www.datenschutz-notizen.de