The GDPR (General Data Protection Regulation) introduced strict new rules regarding the way organisations report data breaches.
Many businesses have already been caught out by these requirements. As a result, they’ve made a bad situation worse or created unnecessary work for themselves by reporting incidents that don’t meet the reporting criteria.
You can avoid making the same mistake by following the advice in this blog.
What is a personal data breach?
The GDPR’s requirements only apply to personal data breaches. There has been some uncertainty about exactly what this refers to, so let’s break it down into its two constituent parts.
First, ‘personal data’: this is information that relates to a natural person – such as their name, contact details or health records – as opposed to intellectual property or company details.
Second, ‘breaches’: this is any event that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Data breaches are often caused when a cyber criminal accesses an organisation’s database, but they can also occur when an employee loses a laptop, sends an email containing sensitive information to the wrong person or fails to properly dispose of files.
When do data breaches need to be reported?
Organisations must report data breaches to the relevant supervisory authority within 72 hours of becoming aware of it.
But before you send your notification, you should check that it meets the GDPR’s notification requirements. Incidents only need to be reported if they “pose a risk to the rights and freedoms of natural living persons”.
‘Risk’ here refers to the possibility of data breach victims facing economic or social damage (such as discrimination), reputational damage or financial losses.
What should a data breach notification include?
Your data breach notification should state:
- The type of personal data breach, including the type and estimated number of individuals affected, and the type and estimated number of personal data records concerned;
- The name and contact details of a point of contact where further information can be obtained, such as that of the DPO (data protection officer);
- The possible outcomes of the personal data breach; and
- A list of measures taken or being taken to deal with the breach and appropriate measures taken to mitigate any adverse effects.
Notifying affected individuals
After your supervisory authority has been notified, you must also inform affected individuals.
At the very least, this should comprise a statement that lets them know that an incident has occurred. However, you might also choose to set up a web page and helpline that people can use to find out more and have their questions answered.
Looking for help meeting your notification requirements?
The GDPR’s data breach notification requirements will be challenge for any organisation, and with the possibility of significant fines, you need to be sure you’re up to the task.
Our Certified GDPR Foundation Training Course provides a comprehensive introduction to the Regulation’s requirements, helping you prepare for when a data breach occurs.
Over the course of a day, you’ll gain a practical understanding of the implications and legal requirements of the GDPR, as one of our data protection expert guides you through everything you need to know.
A version of this blog was originally published on 10 August 2017.