How to report a data breach to your supervisory authority

Under the GDPR (General Data Protection Regulation), organisations must report certain types of data breach to their supervisory authority within 72 hours of becoming aware of it.

This requirement can be relatively straightforward if you are suitably prepared. The first thing you’ll need to determine after a breach is whether the incident meets the GDPR’s criteria for reporting – i.e. does it pose a threat to the rights and freedoms of data subjects? This includes things such as identity theft or fraud.

You can find this out, and gather the necessary information for your notification, by following these six steps:

 

1.Situational analysis

You must give your supervisory authority as much information as you can about the context of the breach. This should include when the breach occurred, when and how you discovered it, who or what was to blame and the effects that it had on your organisation.

 

2. Assess the data affected

What categories of personal data are involved, and how many records have been breached?

 

3. Describe the incident

What are the consequences of the breach for affected data subjects? For example, if financial records are stolen, you should state that crooks might use individuals’ information to make fraudulent purchases.

 

4. Preventive measures and actions

Describe the actions you took, or propose to take, as a result of the breach. You should also state whether you have informed the data subjects of the breach and whether you have told or are planning to tell any other organisation.

If the breach was the result of human error, you must state whether the employee(s) responsible had received data protection training the last two years.

 

5. Oversight

You should include the contact details of your DPO (data protection officer) or whoever is responsible for data protection in your organisation. You should also provide your organisation’s registered address.

 

Who is your supervisory authority?

Each member state has its own supervisory authority:

Austria:
Österreichische Datenschutzbehörde
Belgium:
Commission de la protection de la vie privée
Bulgaria:
Commission for Personal Data Protection
Croatia:
Croatian Personal Data Protection Agency
Cyprus:
Commissioner for Personal Data Protection
Czech Republic:
The Office for Personal Data Protection
Denmark:
Datatilsynet
Estonia:
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Finland:
Office of the Data Protection Ombudsman
France:
CNIL (Commission Nationale de l’Informatique et des Libertés)
Germany:
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Greece:
Hellenic Data Protection Authority
Hungary:
National Authority for Data Protection and Freedom of Information
Republic of Ireland:
Data Protection Commissioner
Italy:
Garante per la protezione dei dati personali
Latvia:
Data State Inspectorate
Lithuania:
State Data Protection
Luxembourg:
Commission Nationale pour la Protection des Données
Malta:
Office of the Data Protection Commissioner
Netherlands:
Autoriteit Persoonsgegevens
Poland:
GIODO (The Bureau of the Inspector General for the Protection of Personal Data)
Portugal:
(CNPD) Comissão Nacional de Protecção de Dados
Romania:
The National Supervisory Authority for Personal Data Processing
Slovakia:
Office for Personal Data Protection of the Slovak Republic
Slovenia:
Information Commissioner
Spain:
Agencia de Protección de Datos
Sweden:
Datainspektionen
United Kingdom:
The ICO (Information Commissioner’s Office)

 

The Data Breach Survival Guide

You can find out more about how to prepare for data breaches by reading our new guide: .

This free green paper provides in-depth advice for each step, and explains how you can reduce the risk of information security incidents.

Download now >>


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.