A quick guide to the GDPR’s data breach notification requirements

One of the biggest talking points of the GDPR (General Data Protection Regulation) is its data breach notification requirements. The rules, which include a strict 72-hour deadline for reporting incidents, have caused many organisations to question how they could possibly comply, and many will be tempted to put off their duties and deal with data breaches if and when the time comes.

But make no mistake: a breach will happen, and you’ll need a plan in order to mitigate the damage and meet your compliance requirements. In this blog, we explain everything you need to know about managing data breach response.


What is a personal data breach?

A data breach is any event in which the confidentiality, integrity and availability of information is compromised. Data doesn’t only need to be stolen to be breached; it might also have been lost, altered, corrupted or accidentally disclosed.

Data breaches can happen to any kind of information, but the GDPR is concerned only with personal data. The Regulation defines this as “any information relating to an identified or identifiable natural person”. In other words, any information that is clearly about a particular person.

This might be someone’s name, ID number, online identifier, etc., or a combination of details that can be pieced together to establish somebody’s identity.


When do you need to report breaches?

Personal data breaches that “pose a risk to the rights and freedoms of natural living persons” need to be reported to your supervisory authority.

This refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.

When reporting a breach, you need to provide the following information:

  1. Situational analysis: Provide as much context as possible, including the initial damage (what happened), how it affected your organisation (what went wrong) and what caused it (how it happened).
  2. Assessment of affected data: Ascertain the categories of personal data and the number of records concerned.
  3. Description of the impact: Describe the consequences of the breach for affected parties. This will depend on the information that was compromised.
  4. Report on staff training and awareness: If the breach was a result of human error, did the employee(s) involved receive data protection training in the past two years? Provide details of your staff awareness training programme.
  5. Preventive measures and actions: What measures did you have in place before the breach to prevent incidents like this from occurring? What steps have you taken, or plan to take, to mitigate the damage?
  6. Oversight: Provide the contact details of your DPO (data protection officer) or the person responsible for data protection.

How much time do you have to report a breach?

Organisations must report a breach within 72 hours of discovery. The GDPR acknowledges that it will be hard to produce the necessary information within this timeframe, so you aren’t expected to provide comprehensive details.


How will you respond to a data breach?

You can discover more of our tips for managing data breaches by reading The data breach survival guide.

This free download provides more detail about how you can meet each of the steps we’ve outlined here, and explains how you can reduce the risk of information security incidents.