GDPR Data Breach Notifications: Everything You Need to Know
Millions of organizations worldwide are covered by the European Union’s General Data Protection Regulation (GDPR). GDPR does not only regulate how organizations should protect personal data, it also stipulates what an organization should do after it has undergone a security breach that affects personal data. Organizations must report a breach within 72 hours to a Data Protection Officer (DPO) in their region, and in some cases must also notify individuals whose data was exposed.
To learn about a similar requirement in other legislation, see our article on HIPAA Breach Notifications.
Data Breaches under GDPR: The 72 Hour Deadline and Potential Fines
The GDPR legislation specifies that an organization must report a security breach that affects personal data to a Data Protection Authority (DPA). According to Article 33 of the law, organizations must notify the DPA of a breach within 72 hours of becoming aware of the breach.
The law requires notification within 72 hours “where feasible”, so it is possible to request an extension, and it is also acceptable to inform the DPA in stages, as details about the breach become available.
What is the implication of failing to report a breach?
Failure to issue a breach notification can result in a fine of up to €10 million or 2% of a company’s revenues. However, European authorities emphasize that fines are a last resort and will only be used for severe or repeat offenses. The UK Information Commissioner’s Office (ICO) said that “What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.”
What is the Official Definition of a Data Breach Under GDPR?
An incident that causes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
‘Personal data’ means any information concerning or relating to an identified or
A personal data breach is not only an incident involving loss of data, but may also include accidental exposure of data, deliberate acts to gain access to customer data, or encryption of data that renders it unaccessible.
Personal data breach is a security incident that negatively impacts the confidentiality, integrity, or availability of personal data.
Examples of incidents could qualify as data breaches under the GDPR:
A customer database stored on a physical device has been lost or stolen
Personal data has been encrypted by ransomware, or accidentally encrypted by its owner and the key was lost
Data is deleted by accident, or by an unauthorized person
Critical personal data is rendered unavailable by a cyber attack, such as a Denial of Service (DoS) attack.
Who Should You Notify When a Data Breach Occurs?
According to GDPR, your organization must send data breach notifications to one of the Data Protection Authorities across Europe. Which DPA you should report to, depends on a few factors:
If you only operate in one European country or the data is collected, processed and used in one country, you only need to notify the local DPA in that country.
If the data is transmitted between European countries, and you operate in one or more European countries, you should notify the DPA for the country in which decisions around the data are made. This is called a Leading Supervisory Authority (LSA). For example, if the compromised data was financial, and the company’s finance department is in the UK, even if the data was collected or processed in other European countries, the breach notification should be to the UK DPA.
If you do not have a presence in the EU, you must report to the DPA in each European country you are active in.
Most DPAs provide an online form you can use to report the data breach. You should prepare as much information as possible in advance, so you have it ready when you start filling the form.
The DPAs for each EU member state are listed by the European Data Protection Board on this page.
What Do You Need to Report in your Data Breach Notification?
Below is the mandatory information that should be included in a breach notification letter to the relevant DPA.
Nature of the Breach
How the breach happened, how many individuals were affected, categories of data affected, how many records were lost, exposed, etc.
Name and contact details of the entity considered the point of contact for data protection in your organization – a Data Protection Officer (DPO), EU representative, etc.
Consequences of the Breach
Explain what could happen as a result of the breach. Can the loss or exposure of data lead to identity theft, financial damages, or other negative consequences?
Explain what you have done, or plan to do in the future, to address the breach. This should include how to solve the immediate problem – for example how to decrypt or restore the data – and how to prevent and mitigate similar incidents in future.
Data Breach Notification for Data Subjects
If a data breach is likely to result in risks to EU consumers who are the owners of the data (“data subjects” in GDPR terminology), you need to notify the data subjects directly about the data breach.
In general, if you notify the DPA about a data breach you are probably also required to notify data subjects. There are a few exceptions:
Data was encrypted or anonymized in such a way that third parties cannot use it
You have taken corrective measures and prevented any risk to data subjects
It requires a very large, disproportionate effort to individually notify data subjects
Cynet 360: End-to-End Security for GDPR Compliance
Cynet 360 is a holistic security platform including monitoring and control, prevention and detection of attacks, response orchestration, and managed incident response services. Cynet is designed to help with regulatory compliance, and can help with three of the key principles of GDPR for processing personal data. Cynet can assure data is stored with integrity and confidentiality, and helps with accountability by providing advanced prevention and detection tools.
Learn how the Cynet 360 platform helps you meet GDPR requirements.