Home Privacy Law GDPR Data Breach GDPR (Quick Guide To Personal Data Breach Notification)

Data Breach GDPR (Quick Guide To Personal Data Breach Notification)

What is a Data Breach GDPR?

What are personal data breaches and what should a company do about it?

What are the consequences of not respecting GDPR obligations?

In this article, we will provide you with a quick guide with respect to the personal data breach notification obligations.

We will look at what is a personal data breach, what should a controller do in the event of a breach, what should a processor do in the event of a data breach, what are the consequences and more?

Are you ready?

Let’s get started!

What is a personal data breach

To understand personal data breach, let’s first look at its legal definition as it appears in the GDPR text.

The objective under GDPR, essentially a data protection law, is to ensure companies quickly react to personal data breaches and individuals have an opportunity to take the necessary precautions.

Legal definition 

Article 4(12) GDPR specifically defines a personal data breach as: 

“means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

Recap of the law

So what is a personal data breach?

GDPR defines it very broadly and here is a quick recap:

  1. Personal data was destroyed in an accidental way  
  2. Personal data was destroyed in an unlawful manner
  3. Personal data is lost 
  4. Personal data is altered
  5. Personal data was disclosed without authorization 
  6. Personal data was accessed without authorization
  7. Personal data was transmitted without authorization
  8. Personal data was stored without authorization
  9. Personal data was processed in any other way without authorization

The definition of a personal data breach under GDPR is very broad and can capture a wide range of scenarios.

For instance, if your organization is responsible for the personal data and you suffer a security incident resulting in personal data being compromised, personal data being accessed, the confidentiality of your data violated or even the integrity of your data was attacked, you have a data breach under GDPR.

Any event of a security breach or unauthorized access, use or disclosure of data can be a personal data breach.

Companies must make sure to implement proper organizational and technical measures to prevent a personal data breach resulting in the trigger of many obligations under GDPR.

GDPR concerns personal data 

GDPR is only concerned with personal data.

In the event of a data breach or security incident, an organization will be accountable under GDPR with respect to the personal data that was compromised.

Now, what are the obligations of a company in the event of a personal data breach?

Personal data breach notification to supervisory authorities

A controller has important obligations to observe with respect to the notification and communication of an event where personal data is breached.

Let’s start by looking over the notification obligations.

Article 33 GDPR: Controller’s notification obligation of a personal data breach

Should there be a case of a data breach, the data controller must without undue delay and to the extent possible notify the applicable supervisory authority within 72 hours.

Article 33 GDPR states: 

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55”

The notification to the supervisory authority must be done:

  1. Without undue delay when the controller discovers the personal data breach
  2. At the most within 72 hours from the moment the controller becomes aware of the personal data breach
  3. If it takes the controller more than 72 hours, it must provide clear justification as to why the dealy was infringed 

The notification timeline is short by design as the objective is for a company to react expeditiously to avoid any losses or consequences on the data subjects.

Article 33 GDPR: Processor’s notification obligation of a personal data breach

The data processor also has notification obligations to respect.

Essentially, a processor must notify the controller without undue delay of a personal data breach after it becomes aware of one.

If an event of data breach occurs and the data processor does not notify the controller in a timely fashion, the controller may also be put in breach of its GDPR obligations.

The data processor should provide all the necessary information to the data controller so it can comply with its own notification obligation towards the supervisory authority, if required.

What is the content of the notification?

A data controller must provide all the relevant details about the personal data breach so a supervisory authority can assess the potential consequences on the data subjects and determine if the company has already taken the right course of action or not.

The controller’s breach notification to the supervisory authority should contain:

  1. Description of the nature of personal data breached
  2. Categories of personal data breached
  3. How many data subjects are affected approximately 
  4. How many personal data records were affected 
  5. Company’s contact details
  6. Company’s data protection officer contact details, if any
  7. A description of what is the company’s assessment on the likely risk and consequences of the personal data breach on the data subjects
  8. Description of the means taken to address the breach
  9. Description of the means taken to mitigate risk to data subjects

Providing information on the breach in phases

In some cases, a company may not have all the relevant information on hand to be able to fully explain what was the data breach, how many people were affected, what are the consequences and so on.

In such a case, a controller must provide its notification to the supervisory authorities nonetheless but may disclose additional information it acquires in phases.

This can be the case when a company needs to hire an external expert to assess and investigate the breach or additional information is required to evaluate the nature of the breach.

What’s important is that the breach is notified to the supervisory authority along with a transparent overview of what information is currently available and what information you are looking to gather in the coming days.

Timeline to report a breach? 

A controller must report a data breach without undue delay.

This means: asap!

GDPR goes further and says, a security breach must be reported without undue delay but no later than 72 hours after becoming aware of the incident.

The clock starts ticking from the moment the controller becomes aware of the security breach.

Now, be careful.

If a controller did not implement appropriate and reasonable technical and organizational measures to detect security breaches and it took much longer to discover the breach compared to another diligent company, the supervisory authorities will consider that in its assessment.

If a company is unable to gather all the needed information within 72 hours, it must report the breach within this timeline and notify the supervisory authority that they are gathering additional information and such information will be disclosed as they become available.

If a company misses the 72-hour timeline, it is in breach of GDPR and it must make sure it reports the breach and explains why the legal timeline was not respected.

Assessing risk to data subjects

When a controller notifies the supervisory authority of a breach of personal data, what’s important is that it assesses the likely consequences and risks to the data subjects.

In some cases, this can be a simple exercise but it can also be more challenging.

What does GDPR consider as a risk or consequence to data subjects?

Recital 85 GDPR gives us the guidance needed as follows:

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”

A company must assess the physical, material and non-material damages data subjects may possibly suffer.

This includes:

  1. Limitation of rights
  2. Possible discrimination
  3. Identify theft
  4. Fraud
  5. Financial loss
  6. Reversal of pseudonymous data 
  7. Damage to reputation 
  8. Loss of confidentiality 
  9. Data revealed protected by professional secrecy
  10. Economic disadvantage to the data subject
  11. Social disadvantage to the data subject

You can find pretty much any possible risk under the sun, so be objective and thorough in your assessment.

Personal data breach communication to data subjects

In addition to notifying the supervisory authorities, in some cases, the controller must also take measures to notify the data subjects of a personal data breach.

Article 34 GDPR: Communication of personal data breach

Article 34 GDPR states that a data controller must report the data breach directly to the data subject when the breach is likely to result in a high risk to the data subject’s rights and freedoms.

GDPR states it as follows:

“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”

Recital 86 GDPR provides additional guidance:

“The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities.”

The purpose of the notification to the data subjects is to give them a chance to mitigate further the potential adverse consequence they may suffer due to the breach. 

Content of notice to data subjects

In the event a personal data breach may result in a high risk to the data subject’s rights and freedoms, the controller must disclose the breach to the data subject.

What should a company include in the data breach notification to the data subjects?

The following information must be notified, at a minimum, to the data subjects:

  1. Description of the nature of personal data breached
  2. Company’s contact details
  3. Company’s data protection officer contact details, if any
  4. A description of what is the company’s assessment on the likely risk and consequences of the personal data breach 
  5. Description of the means taken to address the breach
  6. Description of the means taken to mitigate risk to data subjects

Data subject notice format

GDPR does not specify how and in what format a company must communicate a data breach to data subjects.

What’s specified under the GDPR regulation is the nature of the information a company is obligated to share with a data subject.

A company can select the most appropriate means of communicating with its customers or personnel affected by a breach.

Public notifications

If a direct notification of data breach may involve a disproportionate level of effort for a controller, it is possible for the controller to use a public means of communication or use other similar measures to notify the data subjects.

What’s important is that the means taken by the controller be equally effective as a direct notification.

Exceptions to the controller’s notification obligation 

Are there any exceptions to the controller’s data breach notification obligation to the supervisory authority?

Yes, in a limited way.

Article 33 GDPR states that a personal data breach should not be reported to the supervisory authority: 

“unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”

A controller must put itself in the shoes of the data subjects and wonder whether or not the personal data breach can potentially result in a risk to the data subject’s rights and freedoms.

In some cases it’s easy, it may not be evident in other cases.

A risk to the data subject’s rights and freedoms can include: 

  1. Limitation of rights
  2. Possible discrimination
  3. Identify theft
  4. Fraud
  5. Financial loss
  6. Reversal of pseudonymous data 
  7. Damage to reputation 
  8. Loss of confidentiality 
  9. Data revealed protected by professional secrecy
  10. Economic disadvantage to the data subject
  11. Social disadvantage to the data subject

If a company is confident that the data breach does not have any meaningful consequence on the data subjects, it will not have the obligation to report it to the supervisory authority.

However, it will have the obligation to document the breach and its assessment of why it did not believe the data subjects were impacted and indicate what measures were taken to prevent another similar situation in the future.

Recording all data breaches

The controller has the obligation to record all data breaches whether they are reported to the supervisory authority or not.

The data breach records or registry must be sufficiently documented to understand the facts surrounding the breach, the effects of the breach and how the company has remedied the situation.

The data breach registry should be made available to the supervisory authority to verify a company’s compliance with this obligation.

Sanctions for failure to comply with GDPR

What are the possible sanctions, penalties or fines if a company is found violating its obligations to notify and report a data security breach.

The consequences can be quite severe.

Article 83(4)(a) GDPR specifies that breaches to Articles 25 to 39 (which includes the notification obligations) can result in administrative fines of the greater of either €10,000,000 or 2% of a company’s global annual turnover.

In addition to the fines, Article 58 GDPR provides the power to the supervisory authority to order any corrective actions or measures needed to ensure the data breach is remedied and prevented in the future.

The overall cost to a company can be tremendous.

It’s always better for companies to take some preventive measures to avoid having to deal with a data breach where they are required to notify the supervisory authorities and be subject to fines and corrective orders.

Best practices to prevent personal data breaches

All companies are exposed to a possible security threat or breach.

Technical and organizational security measures

As a first measure, a company must implement sufficient technical and organizational measures to prevent and avoid data breaches.

Article 32 GDPR makes it very clear that companies are required to take into account the state of the art, the costs of implementation and the nature, scope, context and purpose of their data processing activities along with the risk to data subjects when implementing their security measures.

Here are some guidelines offered by GDPR as to the type of security measures to implement (Article 32(1) GDPR):

(a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Company processes and policies

Companies can also implement internal processes and policies to avoid and detect possible security breaches.

Clearly, companies must have internal security processes to ensure the right people access the data necessary to do their job.

If a person does not need a specific type of data, access should be removed.

The proper internal approval process should be implemented to ensure management has visibility as to who is engaging in what type of processing activity within an organization.

Monitoring activity 

The company’s IT teams should have monitoring systems in place to ensure the company records are kept confidential and minimize the risk of a breach.

If there is a breach or data compromised, the company should trigger the proper verification and investigation to ensure they record what happened, the nature of the breach, its gravity and the manner it was dealt with.

Data breaches should then be recorded in a data breach registry in case a supervisory authority demands access to it. 

Staff should be trained to monitor and detect suspicious data access. 

Categorizing security incidents

It’s a good practice to define the different categories of security incidents and depending on the category of the security incident, a company will have a set of steps or measures to take to deal with the breach.

The security incidents can be categorized in the order of gravity.

Some security incidents may be minor in consequence and while others may result in a significant consequence to an organization.

Companies should map that out in advance.

Remedial actions

Whenever there is a data breach, companies must manage the actual breach and should take the necessary steps to remedy the breach.

In some cases, a company may not have the necessary expertise internally to assess what happened or what to remedy.

Depending on the circumstances, it may be worth it working with a forensic expert to assess the breach and provide recommendations as to who to remedy the breach going forward.

How to notify a data breach?

It may be difficult to quickly determine how to notify a data breach to a supervisory authority and what is the actual process.

Luckily, the International Association of Privacy Professionals has compiled a chart allowing organizations to quickly assess who is the supervisory authority of each European Union member country, what form to use, what email to use and any additional information.

You can access their DPA notification chart on how to notify a data breach in case you need to report an event to the proper supervisory authority.

Frequently Asked Questions

What to do if there is a data breach GDPR?

The first step is for the company to assess the gravity of the data breach and its likely consequences on the data subjects.

If there may be an impact on the data subject’s rights and freedoms, it must report the incident to the supervisory authority without undue delay but no more than within 72 hours after becoming aware of the breach. 

If there is no likely impact on the data subject’s rights and freedoms, it must internally document the breach, indicate what it does not believe that there’s an impact and take the necessary remedial actions to prevent a future breach.

What are the penalties for breaching GDPR?

The consequences can be quite severe.

GDPR specifies that the failure to respect the personal data breach notification and communication obligations can result in administrative fines of the greater of either €10,000,000 or 2% of a company’s global annual turnover. 

In addition to the fines, Article 58 GDPR provides the power to the supervisory authority to order any corrective actions or measures needed to ensure the data breach is remedied and prevented in the future.

Editorial Staff
Hello Nation! I'm a lawyer by trade and an entrepreneur by spirit. I specialize in law, business, marketing, and technology (and love it!). I'm an expert SEO and content marketer where I deeply enjoy writing content in highly competitive fields. On this blog, I share my experiences, knowledge, and provide you with golden nuggets of useful information. Enjoy!

Most Popular

What Is Price Fixing (Explained: All You Need To Know)

What Is Price Fixing (Explained: All You Need To Know)

What Is Interest Coverage Ratio (Explained: All You Need To Know)

What Is Interest Coverage Ratio (Explained: All You Need To Know)

What Is Value Based Pricing (Explained: All You Need To Know)

What Is Value Based Pricing (Explained: All You Need To Know)

What Is Inventory Turnover Ratio (Explained: All You Need To Know)

What Is Inventory Turnover Ratio (Explained: All You Need To Know)

Bear With Me Meaning (Explained: All You Need To Know)

Bear With Me Meaning (Explained: All You Need To Know)

Editor's Picks

How Much Money Do You Need To Start A Business (Best Overview)

How Much Money Do You Need To Start A Business (Best Overview)

What Time Is Evening (Explained: All You Need To Know)

What Time Is Evening (Explained: All You Need To Know)

What Is A Reverse Triangular Merger (Definition And Overview)

What Is A Reverse Triangular Merger (Definition And Overview)

Statement of Information (What Is It And How To File One)

Statement of Information (What Is It And How To File One)

Bear With Me Meaning (Explained: All You Need To Know)

Bear With Me Meaning (Explained: All You Need To Know)