Summary of GDPR Notification of Data Breaches

When the General Data Protection Regulation turns into a law, on 25 May 2018, organizations and businesses will face new laws regarding the informing of a data breach.

Reporting a data breach to the Data Protection Authority (DPA)

GDPR requires that a business or organization should inform a data breach to the relevant DPA within 72 hours of knowing of the breach. In the case of particularly complex breaches, where more investigations are needed, it is possible for an organization or business to make a preliminary report within the 72 hours and follow this up with more comprehensive information as soon as possible.

Reporting a data breach to data subjects

Data breaches must also be reported to data followers when there’s a high danger to the safety of their personal data. This notification should be made without unnecessary delay. When making a decision on the level of risk posed by the breach an organization or business must look at considerations such as the amount of private data involved, and whether this personal data is already in the public domain.

When informing the DPA, and data subjects, concerning a data breach, the organization or business must include information such as contact particulars for the data protection officer (DPO), what occurred during the breach, what amount of private data was affected and what steps they are taking to deal with the issue. In communications with data followers, the organization or business should also describe what action is needed by the data subjects if any.

Failure to abide by GDPR data breach notice requirements can have grave consequences. The maximum possible fine is 10 million euros or 2% of the annual transaction. This penalty can be imposed in addition to the maximum fine for non-compliance with GDPR which is 20 million euros or 4% of the yearly transaction.