Data Breach Notice Responsibilities under GDPR

The soon to be launched General Data Protection Regulation (GDPR) puts greater stress on the safety of private data compared to the earlier Instruction. This implies that organizations and businesses should focus on the way in which they safeguard the private data they handle as well as the way they alert related parties regarding data breaches.

Even though GDPR doesn’t specify any particular data safety measures that should be taken to comply, it does state that organizations and businesses should take any technical and organizational measures required in order to safeguard the private data they handle, according to Article 32. It also proposes some steps that might be suitable, like the encryption of data and guaranteeing the capability to restore data after an occurrence.

Every organization or business should take measures to safeguard the private data that it handles; this is particularly the case when the data is thought to be high risk. High-risk data can contain information concerning religion, health and sexual orientation. Organizations and businesses should also maintain records of the procedures and processes they set up. If they can’t generate this documentation, they are in danger of being found to be non-compliant.

Informing a Data Breach

As per GDPR laws, data breaches should be informed to the related administrative organization within 72 hours, whenever possible. If it’s impossible to make a complete report within 72 hours, the administrative organization must be informed and complete details must follow without unnecessary delay, along with an acceptable reason for the late informing. These notices are not required if the breach isn’t likely to present a danger to the freedoms and rights of people. Failure to abide by these laws might lead to a business or organization facing a penalty for non-compliance. These penalties are decided by the related Data Protection Authority (DPA), depending on the direction from the Article 29 Working Party. The highest penalty possible is 4% of annual transaction or €20m, whichever amount is more.

If there is a high danger to the freedoms and rights of data subjects, the people affected should also be informed of the breach, without unnecessary delay. There are 3 exclusions to this when the data which has been breached has been made incomprehensible by the use of methods like encryption, when the data manager has acted to lessen the high danger and where sending separate telecommunications would involve unbalanced attempt and a different type of interaction is more suitable. This interaction might contain a message on the website of the organization or business or a press statement.

The purpose of incorporating these laws in GDPR is to make sure that the private data of people residing within the European Union is handled securely, regardless of which country they reside in. This applies whether or not the organization or business that is handling the data is located in the European Union. Securing private data in this way makes sure that the freedoms and rights of people throughout the European Union are safeguarded in an even way.