A 5-step guide to reporting data breaches under the GDPR

Under the GDPR (General Data Protection Regulation), Ireland-based organisations must report data breaches to the DPC (Data Protection Commission) within 72 hours of becoming aware of them.  

This doesn’t only refer to cyber criminals breaking into your system. It applies to any kind of data breach – i.e. any time the confidentiality, integrity or availability of information is compromised.  

Failure to disclose an incident could lead to penalties under the GDPR’s second tier of fines – up to €10 million or 2% of your organisation’s annual global turnover, whichever is higher.  

You can avoid this fate by following our five-step guide for reporting data breaches. 

1. Situational analysis

You must identify and document the following information:  

  • The type of breach you’re reporting.  
  • The level of risk the breach poses to affected data subjects.  
  • When the breach occurred and how it was detected.  
  • The nature of the breach.  
  • Whether you’ve notified affected individuals.  
  • Whether the breach has been contained.  

The faster you identify a security incident, the sooner you can mitigate the damage and alert those affected. Unfortunately, few organisations have a clear understanding of their state of readiness when it comes to data breach reporting.  

You can address that by implementing an incident response plan, which allows you to prepare for, respond to and follow up on cyber attacks. 

This ensures that you reduce the risk of incidents occurring, while also knowing that incidents are inevitable and knowing what to expect.

2. Assessing the affected data

You must identify and document the following information:  

  • The types of personal data that were breached (names, addresses, payment card information, etc.).  
  • Whether special categories of data were involved.  
  • How many individuals were affected.  
  • Whether vulnerable individuals were affected. This includes children, people with mental illnesses, asylum seekers, the elderly and data subjects whose relationship with the data controller contains an imbalance of power (employee-employer or tenant-landlord, for example).   

Organisations usually process much more information than they realise, which means a security incident can be more damaging than they expected.  

You can avoid this problem by mapping the data flows through your organisation. Doing this gives you an understanding of all the personal data you collect, store or otherwise process, as well as where and how you transfer it. 

To map data effectively, you must also review the ways in which it flows from suppliers and sub-suppliers through your organisation and on to customers and clients. 

As part of this process, you should document these movements and identify key elements of the data, such as the type of information, the format it’s stored in, the location its kept and the lawful basis for processing.

3. Describing the impact

You must identify and document the potential consequences of the breach for individuals. You may also be required to provide a follow-up report that describes: 

  • Any measures you had in place before the breach that aimed to prevent an incident of that nature;
  • Actions you’ve taken to fix the problem and mitigate any adverse effects; and
  • Steps you’re taking to prevent recurrence, and when you expect to complete these steps;

You’ll be able to answer these questions if you’ve recently conducted a risk assessment. This process helps you identify and assess relevant threats to your organisation, and establish the potential impact of a data breach on both your business and data subjects. 

Risk assessments also help you implement measures that help manage those risks. More to the point, it ensures that those measures are appropriate to your organisation and that more serious threats are prioritised.

4. Preventive measures and actions taken

You must identify and document the following information:  

  • Whether staff were made aware of their GDPR compliance responsibilities;
  • Whether data subjects have been informed about the breach and how it might affect them; and
  • Whether you’ve told, or are planning to tell, other relevant organisations about the breach;

Data breaches can occur even if the organisation has appropriate measures in place. That’s the nature of information security; criminals find ways around defences and employees make mistakes that compromise the organisation’s systems. 

As a result, you’re not automatically liable just because you’ve been breached. However, if you are to avoid penalties under the GDPR, you must demonstrate that you took reasonable precautions to prevent the incident.  

This is where ISO 27001  helps. The Standard sets out the requirements for a best-practice ISMS (information security management system) – a risk-based approach to corporate security that, unlike the GDPR, contains clear instructions on how to manage information security threats.

5. Oversight

You must identify and document the following information:  

  • Your organisation’s name; and
  • The details of the person reporting the incident.  

You need to provide a point of contact so that the DPC can communicate with your organisation about investigating the incident.  

This should be your DPO (data protection officer), or of you don’t have one, whichever employee is responsible for your organisation’s data protection.  

When do you need to report a data breach? 

You only need to follow these steps for incidents that “pose a risk to the rights and freedoms of natural living persons”.  

This refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.

You’ll be able to determine whether this is the case during the situational analysis.

However, it’s worth noting that you are required to keep a record of all data breaches – whether they need to be reported or not – so it’s important to document the answers from steps one and two, even if you don’t send the information to the DPC.  

Are you prepared for the inevitable?

No matter how resilient your cyber security defences are, there is always the risk of a data breach. That’s why you need a plan for what you’ll do when a security incident occurs.

You can learn more about how to respond with our Data Breach Survival Guide.

This free guide explains how you can identify risks, protect your data and respond to and recover from security incidents. 

It covers:

  • Your data breach reporting obligations under the GDPR;  
  • The five steps for reporting a personal data breach to the Irish Data Protection Commissioner; and
  • The importance of putting precautionary measures in place. 

A version of this blog was originally published on 21 March 2019. 

6 Comments

  1. Norman Hall 26th March 2019
    • Jessica Belton 27th March 2019
  2. Keith 14th June 2019
    • Jessica Belton 24th July 2019
  3. Eric 14th April 2021
    • Luke Irwin 26th April 2021

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.