With the GDPR deadline rapidly approaching, organizations are taking the final steps toward ensuring compliance for their data security systems.
In Articles 33 and 34, the GDPR outlines the specific protocol that must be followed in the event of a data breach, including who must be notified of a breach, how, and when.
By being prepared to follow these guidelines, organizations can foster public trust and maintain good standing with EU regulatory authorities. Below we’ll go over the requirements laid out in the GDPR as they relate to breach response notification.
How Does The GDPR Define Data Breach?
According to the new regulation, only personal data breaches require notification; breaches involving other data, such as intellectual property, do not need to be reported under GDPR.
The GDPR defines a personal data breach as “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Personal data itself is information that can be specifically linked to one person; examples include name, social security number, date and place of birth, medical records, and financial information.
After a personal data breach occurs, the organization’s data controller must report the breach if it is determined to pose a risk to EU citizens’ “rights and freedoms.” Most personal data breaches, including ransomware attacks, involve data theft or infringe upon the right to privacy and should thus be reported. However, if the personal data is encrypted and the key to accessing the encrypted data is not compromised, then the breach would not necessarily have to be reported.
Regardless of external notification, Article 33 requires internal reporting to ensure organizations keep track of data breaches, stating, “The controller shall document any personal data breaches, comprising the facts relating to the personal data breach.”
Who Should Be Notified Of A Data Breach?
When a personal data breach occurs, organizations are required to notify the appropriate supervisory authorities, as outlined in Article 51. Further, the victims themselves should be notified of a data breach when there is a “high risk to the rights and freedoms” of these individuals. Examples of these situations include personal data breaches that include medical or financial information, contact information that includes sensitive data such as that related to ethnicity, or victims who are children.
What Should Be Included In The Notification?
When reporting a data breach to supervisory authorities, organizations should:
- Describe the nature of the personal data breach. If possible, include the approximate number of data subjects, categories, and personal data records affected.
- List the point of contact for getting more information about the breach. This is usually a data protection officer.
- Describe the plausible consequences of the personal data breach.
- Describe what measures the data controller has taken or proposes to take in order to address the personal data breach. These measures should include steps taken to avoid or mitigate possible negative effects.
What Is The Timeframe For Notification?
Data breaches must be reported to a supervisory authority within 72 hours of detection and identification as a breach. If organizations are unsure, they can also inform the supervising authority that a data breach has likely occurred and that an investigation is pending to glean more information – this will not affect the 72-hour time window.
Article 33 states that if a notification is not made to the supervisory authority within 72 hours, it must be made clear why the timeline wasn’t met. Article 34 states that a data controller must notify a “data subject,” or consumers affected, of a breach “without undue delay.”
Deadline Right Around The Corner
Organizations that haven’t yet prepared for the GDPR likely won’t be ready by May. But, between now and then, there are still steps companies can take to get ready for the new regulation.
It’s important to keep in mind that non-compliance comes with a big price tag – companies that don’t comply with the GDPR can be fined as much as 10,000,000 euros or up to two percent of total annual turnover.
For a more in-depth look at the guidelines for breach notification, including tables and flowcharts, you can download this document recently released by the EU.