Under the GDPR (General Data Protection Regulation), organisations must report certain types of data breach to their supervisory authority within 72 hours of becoming aware of it.
This requirement can be relatively straightforward if you are suitably prepared. The first thing you’ll need to determine after a breach is whether the incident meets the GDPR’s criteria for reporting – i.e. does it pose a threat to the rights and freedoms of data subjects? This includes things such as identity theft or fraud.
You can find this out, and gather the necessary information for your notification, by following these six steps:
You must give your supervisory authority as much information as you can about the context of the breach. This should include when the breach occurred, when and how you discovered it, who or what was to blame and the effects that it had on your organisation.
2. Assess the data affected
What categories of personal data are involved, and how many records have been breached?
3. Describe the incident
What are the consequences of the breach for affected data subjects? For example, if financial records are stolen, you should state that crooks might use individuals’ information to make fraudulent purchases.
4. Preventive measures and actions
Describe the actions you took, or propose to take, as a result of the breach. You should also state whether you have informed the data subjects of the breach and whether you have told or are planning to tell any other organisation.
If the breach was the result of human error, you must state whether the employee(s) responsible had received data protection training the last two years.
You should include the contact details of your DPO (data protection officer) or whoever is responsible for data protection in your organisation. You should also provide your organisation’s registered address.
Who is your supervisory authority?
Each member state has its own supervisory authority:
The Data Breach Survival Guide
This free green paper provides in-depth advice for each step, and explains how you can reduce the risk of information security incidents.