What should a GDPR data breach notification include? When do you need to report a data breach? Is it always mandatory to report it?
In this post, we’ll answer all these questions and show you what a GDPR data breach should include.
The EDPB has published updated guidelines 9/2022 on personal data breach notification under the GDPR. The guidelines “clarify notification requirements for personal data breaches at non-EU establishments” and require that member states supervisory authorities are notified of such breaches when affected data subjects reside in a particular member state.
A data breach is a security incident that can lead to the destruction, loss, alteration, or unauthorized sharing of personal data. It can be both deliberate, caused by an external cyberattack, or accidental.
Indeed, some of the most common causes of a data breach are the lack of appropriate security systems and carelessness. For instance, devices containing confidential data get lost or stolen, employees give access to data to the wrong person.
Even though unintentional and probably harmless, these are still data breaches.
According to Article 33 of GDPR, you don’t need to report every data breach, but only those that are likely to result in a risk to individuals’ rights and freedoms.
If you happen to be a victim of such a data breach, you need to notify the Supervisory Authority within 72 hours, and you must inform users whose data was affected, too.
Failing to report such a data breach can expose you to fines up to €20 million or 4% of your annual worldwide turnover, not to mention, a lack of transparency can pose a devastating blow to your reputation and lead to loss of trust from your customers.
Please note that, whether you should report the breach or not, you need to keep records of all the breaches that happened to your company, no matter how insignificant they may be. Records will help authorities assessing that you’re complying with the law.
The GDPR mandates that a data breach notification includes, at the very least:
If you’re still in doubt, have a look at the ICO’s website here for some useful resources that can help you to understand what to do if a data breach happens.
💡 Keeping clear and detailed records of your internal processing activities can help you to stay on top of your processes and more easily access potential risks.
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.
📬 Want the latest news on Data Protection and Privacy delivered to your inbox? Join the list @ dponewsletter.com
