Ever since the General Data Protection Regulation (GDPR) came into force, there has been an increase in the number of data breach reports. Years of data breaches finally came to light.  Many organizations often fail to report the breach to their respective authority or the affected people, which lands them in trouble with the law. Some of them even find it difficult on how to present the notification.

This article discusses when to report a data breach to the authorities and the affected people, and the notification requirements under GDPR.

What is a Data Breach?

Article 4(12) of the GDPR defines a data breach as:

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Data breach, hence, could be intentional or unintentional.

According to ICO,

Personal data breaches - ICO

Data breach becomes severe if sensitive data is affected. According to GDPR, sensitive data includes information about the data subject’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life, or sexual orientation.

Reporting a Data Breach

After becoming aware of a breach, you should always notify the respective supervisory authority, depending on the severity of the case. Let’s look at the scenarios where you should report the breach and how to do it.

When to Report a Breach?

When you become aware of a breach, you should first analyze the data affected, i.e., its category and number, and the extent of the breach. To decide when you should report the breach, determine the risks to rights and freedom of affected people, and the severity of it.

  • Is the risk low? No need to inform the authority; however, you should be able to justify your decision if needed.
  • Is the risk high? Inform the respective authority without any undue delay.
  • Is the risk severe? Inform the affected individuals as quickly as possible and help them take measures to minimize it.

GDPR requires you to report a breach within 72 hours of being aware of it. If the risk is high, do it as quickly as possible. If you take time longer than that, you should be able to justify the reason for the delay.

Make sure to document all your analyses of the data breach as it will be beneficial in the long run.

How to Report a Breach?

Data controllers often find it confusing about how to report a breach. The Article 29 Working Party lists some guidelines for reporting data breaches. Let’s discuss what information you are required to provide to the supervisory authority and affected individuals.

To your Supervisory Authority:

  • The nature of the breach, including the number and categories of both personal data and people, affected.
  • The contact details of the data protection officer (if appointed) or other contact points.
  • The likely risk to people’s rights and freedom.
  • Measures taken or to be taken to handle the violation and to mitigate it.

If the information is not readily available, you can provide them in stages, without undue delay.

To the affected data subjects

  • The nature of the breach in a clear and precise language.
  • The contact details of the data protection officer (if appointed) or other contact points.
  • The likely risk to their rights and freedom.
  • Measures taken or to be taken to handle the violation and to mitigate it.

Please note that an effective Data Protection Impact Assessment (DPIA) conducted at the inception of a project will prepare you beforehand on how to handle possible risks and what measures you can take to minimize or eliminate them. Also, sometimes, it gives you an idea of incidents that are likely to occur while dealing with the data you are going to process. This article discusses the significance of the DPIA and how to carry them out.

Following a breach, you should investigate thoroughly the cause and how to prevent it from happening in the future.

Failure to Report

Failing to report the authority or on time, after becoming aware of a breach may result in fines up to 10 million euros or 2% of your annual global turnover, whichever is higher. You may also face stricter actions from the respective supervisory authority for the violation.

Conclusion

GDPR says, “Tell it all, tell it fast, tell the truth.” You should be honest about the breach, share all the details you have in hand, and do it without any undue delay. If you are quick to respond and devise an action plan to tackle the risks, not only will you be able to avoid the hefty fines, but it will also paint you in a good light. Here is ICO busting some myths about data breach reporting.

Disclaimer: This article is not written by a lawyer, and hence, it does not represent any legal advice. For any assistance with data breach reporting, please contact your lawyer or an expert specialized in this field.

Read More

Biggest GDPR Violation Examples

Common GDPR Myths

TAGS: Data Breach, GDPR