How to report a data breach under the GDPR

The GDPR (General Data Protection Regulation) introduced strict new rules regarding the way organisations report data breaches.

Many businesses have already been caught out by these requirements. As a result, they’ve made a bad situation worse or created unnecessary work for themselves by reporting incidents that don’t meet the reporting criteria.

You can avoid making the same mistake by following the advice in this blog.

What is a personal data breach?

The GDPR’s requirements only apply to personal data breaches. There has been some uncertainty about exactly what this refers to, so let’s break it down into its two constituent parts.

First, ‘personal data’: this is information that relates to a natural person – such as their name, contact details or health records – as opposed to intellectual property or company details.

Second, ‘breaches’: this is any event that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Data breaches are often caused when a cyber criminal accesses an organisation’s database, but they can also occur when an employee loses a laptop, sends an email containing sensitive information to the wrong person or fails to properly dispose of files.

When do data breaches need to be reported?

Organisations must report data breaches to the relevant supervisory authority within 72 hours of becoming aware of it.

But before you send your notification, you should check that it meets the GDPR’s notification requirements. Incidents only need to be reported if they “pose a risk to the rights and freedoms of natural living persons”.

‘Risk’ here refers to the possibility of data breach victims facing economic or social damage (such as discrimination), reputational damage or financial losses.

What should a data breach notification include?

Your data breach notification should state:

  • The type of personal data breach, including the type and estimated number of individuals affected, and the type and estimated number of personal data records concerned;
  • The name and contact details of a point of contact where further information can be obtained, such as that of the DPO (data protection officer);
  • The possible outcomes of the personal data breach; and
  • A list of measures taken or being taken to deal with the breach and appropriate measures taken to mitigate any adverse effects.

Notifying affected individuals

After your supervisory authority has been notified, you must also inform affected individuals.

At the very least, this should comprise a statement that lets them know that an incident has occurred. However, you might also choose to set up a web page and helpline that people can use to find out more and have their questions answered.

Looking for help meeting your notification requirements?

The GDPR’s data breach notification requirements will be challenge for any organisation, and with the possibility of significant fines, you need to be sure you’re up to the task.

Our Certified GDPR Foundation Training Course provides a comprehensive introduction to the Regulation’s requirements, helping you prepare for when a data breach occurs.

Over the course of a day, you’ll gain a practical understanding of the implications and legal requirements of the GDPR, as one of our data protection expert guides you through everything you need to know.


A version of this blog was originally published on 10 August 2017.

21 Comments

  1. Martin Leitch 25th March 2018
    • Niall McCreanor 25th April 2018
  2. Mark 26th July 2018
    • conserned 20th October 2019
      • Jessica Belton 21st October 2019
    • Jeremy Duxbury 26th May 2020
  3. stephen Deacon 16th September 2018
  4. Andrew 18th October 2018
    • Sophie Meunier 23rd January 2019
  5. Charlie 24th May 2019
    • Jessica Belton 27th May 2019
  6. Gill Taylor 11th June 2019
    • Jessica Belton 13th June 2019
  7. david scott 25th June 2019
    • Jessica Belton 27th June 2019
  8. Tony McGrandles 19th July 2019
    • Jessica Belton 25th July 2019
  9. Milneov 21st December 2019
    • Jessica Belton 8th January 2020
  10. Ray 5th January 2020
    • Jessica Belton 13th January 2020

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.