Let’s get started!
Ready to extend visibility, threat detection and response?
Get a DemoMillions of organizations worldwide are covered by the European Union’s General Data Protection Regulation (GDPR). GDPR does not only regulate how organizations should protect personal data, it also stipulates what an organization should do after it has undergone a security breach that affects personal data. Organizations must report a breach within 72 hours to a Data Protection Officer (DPO) in their region, and in some cases must also notify individuals whose data was exposed.
To learn about a similar requirement in other legislation, see our article on HIPAA Breach Notifications.
The GDPR legislation specifies that an organization must report a security breach that affects personal data to a Data Protection Authority (DPA). According to Article 33 of the law, organizations must notify the DPA of a breach within 72 hours of becoming aware of the breach.
The law requires notification within 72 hours “where feasible”, so it is possible to request an extension, and it is also acceptable to inform the DPA in stages, as details about the breach become available.
What is the implication of failing to report a breach?
Failure to issue a breach notification can result in a fine of up to €10 million or 2% of a company’s revenues. However, European authorities emphasize that fines are a last resort and will only be used for severe or repeat offenses. The UK Information Commissioner’s Office (ICO) said that “What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.”
According to the Data Protection Commission’s Quick Guide to Breach Notifications, a breach that requires notification under GDPR is:
Examples of incidents could qualify as data breaches under the GDPR:
According to GDPR, your organization must send data breach notifications to one of the Data Protection Authorities across Europe. Which DPA you should report to, depends on a few factors:
Most DPAs provide an online form you can use to report the data breach. You should prepare as much information as possible in advance, so you have it ready when you start filling the form.
The DPAs for each EU member state are listed by the European Data Protection Board on this page.
Tips From the Expert
In my experience, here are tips that can help you better manage GDPR compliance when it comes to data breaches:
Below is the mandatory information that should be included in a breach notification letter to the relevant DPA.
Nature of the Breach | How the breach happened, how many individuals were affected, categories of data affected, how many records were lost, exposed, etc. |
---|---|
Contact Persons | Name and contact details of the entity considered the point of contact for data protection in your organization – a Data Protection Officer (DPO), EU representative, etc. |
Consequences of the Breach | Explain what could happen as a result of the breach. Can the loss or exposure of data lead to identity theft, financial damages, or other negative consequences? |
Measures Taken | Explain what you have done, or plan to do in the future, to address the breach. This should include how to solve the immediate problem – for example how to decrypt or restore the data – and how to prevent and mitigate similar incidents in future. |
If a data breach is likely to result in risks to EU consumers who are the owners of the data (“data subjects” in GDPR terminology), you need to notify the data subjects directly about the data breach.
In general, if you notify the DPA about a data breach you are probably also required to notify data subjects. There are a few exceptions:
Cynet 360 is a holistic security platform including monitoring and control, prevention and detection of attacks, response orchestration, and managed incident response services. Cynet is designed to help with regulatory compliance, and can help with three of the key principles of GDPR for processing personal data. Cynet can assure data is stored with integrity and confidentiality, and helps with accountability by providing advanced prevention and detection tools.
Learn how the Cynet 360 platform helps you meet GDPR requirements.
Search results for: