The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and will supersede all EU member states’ current national data protection laws, bringing a standardised approach to data protection throughout the EU.
One of the main changes under the GDPR is that all organisations must report a personal data breach to their supervisory authority within 72 hours, and in some cases to the individuals affected.
What is a personal data breach?
A personal data breach refers to a breach of security that can lead to the destruction, loss, alteration and unauthorised disclosure of, or access to, personal data. So a breach is more than just losing personal data.
How to report a breach
A breach must be reported to the relevant supervisory authority within 72 hours of an organisation becoming aware of it. Depending on the scale of the breach, it may be impossible to investigate a breach fully within the given timeframe, so organisations will be allowed to provide information in phases.
What information should be included in a notification?
The information that should be included in a notification of a data breach is:
- The type of personal data breach, including:
- The type and estimated number of individuals affected; and
- The type and estimated number of personal data records concerned.
- The name and contact details of a point of contact where further information can be obtained, such as that of the data protection officer (DPO);
- The possible outcomes of the personal data breach; and
- A list of measures taken or being taken to deal with the breach and appropriate measures taken to mitigate any adverse effects.
When do the individuals affected have to be notified?
If a breach is likely to result in a high risk to the rights and freedoms of individuals, those affected must be notified directly.
This is when the need to notify an individual outweighs the need to notify the relevant supervisory authority.
Learn more from our experts about the steps involved in reporting a data breach and how your organisation can put them in place to meet the deadline with our five-day Certified EU GDPR Foundation and Practitioner Combination Course, which is held in various European locations.