Ransomware attacks as data protection incidents: GDPR requirements and reporting obligations in focus

Ransomware attacks have reached a new record high in 2024 and are threatening companies worldwide. Critical industries such as healthcare and public authorities are a particular focus, but small and medium-sized enterprises (SMEs) are also increasingly affected. Cyber criminals are increasingly relying on data theft to force ransom payments. Unfortunately, this perfidious tactic is often successful, which further exacerbates the threat situation.

But how can companies defend themselves? The General Data Protection Regulation (GDPR) plays a central role in the fight against cyberattacks by setting out clear requirements and reporting obligations.

The GDPR as a guide for cybersecurity

The GDPR requires companies to implement appropriate technical and organizational measures to protect personal data (Article 32 GDPR). If a data protection incident nevertheless occurs - for example due to a ransomware attack - the reporting obligations of the regulation apply.

According to Article 33 GDPR, controllers must report a personal data breach to the competent supervisory authority without undue delay and at the latest within 72 hours of becoming aware of it. An exception only applies if there is demonstrably no risk to the rights and freedoms of data subjects.

But what does a correct notification look like? And what specific steps should companies take?

Step-by-step: How to report a ransomware attack correctly

1. review internal procedures: If you have not already done so, establish clear processes for handling data breaches. These procedures should be tested and adjusted regularly.

2. carry out a risk assessment: Assess as precisely as possible whether and to what extent personal data is affected. This assessment is the basis for further communication with the supervisory authority.

3. initial notification within the deadline: The initial notification must be made within the 72-hour deadline, even if not all details are yet available. Subsequent updates can and should be submitted later.

4. use encrypted communication: All sensitive information should always be sent to the data protection authority in encrypted form. This will ensure secure data exchange.

5. take immediate action: Do not wait for a forensic investigation to be completed. Take immediate and appropriate action to mitigate the data breach and document these steps.

6. file a criminal complaint: File a criminal complaint with the relevant law enforcement authorities. This not only signals a willingness to act, but can also help to limit the damage.

7. regular updates to the authorities: Keep the supervisory authority continuously informed about the progress of the measures. Open and transparent communication facilitates cooperation.

8. complete documentation Every step in dealing with the data breach must be documented internally. These records are essential regardless of the level of risk and can be requested in the event of an audit.

Cooperation with the data protection authority: how to succeed

Effective cooperation with the data protection authority requires

• Willingness to cooperate: Provide all requested information in a timely manner.

• Continuous information: Keep the authority informed about progress and measures at all times.

• Implementation of recommendations: Take into account advice from the authority to optimize your data protection measures.

This proactive attitude signals that you are taking the data protection incident seriously and are doing everything you can to prevent future incidents.

GDPR as a driver for robust cybersecurity

The General Data Protection Regulation not only sets a clear framework for the protection of personal data, but also acts as a catalyst for a sustainable cyber security strategy in companies. Article 32 GDPR defines security requirements that help companies protect digital assets and strengthen their resilience to cyber threats.

At a time when ransomware attacks are increasing exponentially, the GDPR is proving to be an indispensable tool. It requires not only reaction, but also prevention: companies that implement the GDPR consistently will benefit from increased digital resilience in the long term.

Conclusion: Ransomware attacks are more than just IT incidents - they are data protection incidents with far-reaching consequences. Compliance with GDPR requirements is not only a legal obligation, but also an opportunity to raise your own cyber security to a new level. Companies that focus on this will benefit from a solid foundation for the protection of sensitive data and a competitive advantage in the digital world.