Under GDPR, your data breach notiﬁcation and incident response procedures must enable you to tell your supervisory authority about a data breach within 72 hours of discovering it. You should make sure you have the right procedures in place to detect, report and investigate a ‘personal data breach’.
The GDPR and the Directive define personal data as
“any information relating to an identified or identifiable natural person (“data subject”).”
Under the GDPR, a personal data breach is
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
What information should be included in a notification?
describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected
provide the data protection officer’s contact information
describe the likely consequences of the personal data breach
describe how the controller proposes to address the breach, including any mitigation efforts
If the information is not all available at once, it may be provided in phases.
When a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation under the GDPR.
If the controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals”, information regarding the personal data breach must be communicated to the affected data subjects and, under Article 34, this must be done “without undue delay”.
The GDPR provides exceptions to this notifying data subjects in the following circumstances:
The controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”.
The controller takes action after a personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” does not materialize.
When notification to each data subject would “involve disproportionate effort”, in which case alternative communication measures may be used.