data breach gdpr

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach?

According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. 

Types of Personal Data Breaches

There are three main types of personal data breaches in GDPR:

  • Confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data.
  • Availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
  • Integrity breach – where there is an unauthorised or accidental alteration of personal data.

Depending on the circumstances, the incident can concern any specific breach type listed above or a combination of those. 

Examples of personal data breaches  can include following types of incidents:

  • access by an unauthorized third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen; 
  • Loss of confidentiality of personal data protected by professional secrecy
  • alteration of personal data without permission; and
  • loss of availability of personal data.

According to GDPR article 33, data controllers have to report certain types of personal data breaches to the Data Protection Authority (DPA) within 72 hours after becoming aware of the breach.

If the incident poses a high risk to affected individuals then they should also be informed, unless there are effective technical and organisational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialise.

A close-up of a person’s hands using a computer mouse and keyboard, overlaid with hexagonal icons related to GDPR, including terms like "Privacy," "Protection," "Regulation," and "Data."

As per GDPR, in what circumstances do you need to report a breach?

If you experience a personal data breach then you need to consider whether this poses a risk to affected individuals. You need to consider the likelihood and severity of the risk to an individual’s rights and freedoms, following the incident. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the DPA.

What happens if there is no risk and you don’t have to send a personal data breach notification to the Authority?

If the risk is unlikely to happen then you don’t have to report to the Supervising Authority, but  you have to record the breach in your Breach Register. Supervising Authority may request from you a Breach Register report when doing required investigation or other routine checks. Having a Breach Register will demonstrate maturity of your privacy organisation, while not having it, may work as a signal that your organisation doesn’t take breach management seriously enough.
 

GDPR Article 33 (5): “The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.”

explore GDPR Register'S BREACH MANAGEMENT TOOLS

Record breaches, get notifications, produce instant reports, save time

Reporting personal data breaches to Data Protection Authority

A notifiable breach must be reported to the DPA without undue delay, but not later than 72 hours after becoming aware of it. If you will notify DPA later than 72 hours, you must provide reasons for the delay. 

How to report a breach according to GDPR?

When reporting a security breach, you will have to provide following information::

  • a description of the nature of the breach including, where possible:
  • the categories and approximate number of data subjects concerned and
  • the categories and approximate number of personal data records concerned;
  • the name and contact details of the DPO (if your organisation has one) or another contact point to obtain information;
  • a description of the likely consequences of the incident; and
  • a description of the measures taken or proposed to be taken, to deal with the breach. Also, including, where appropriate, the measures taken to mitigate any possible adverse effects.

It may happen that it’s not possible to provide immediately all the information listed above. You may provide such information in phases. 

The personal data breach notification has to be done to the Data Protection Authority of the location of the controller company. Contacts of EU Data Protection Authorities by countries can be found here.

Notifying data subjects about the personal data breach

When is a personal data breach notification necessary? Some breaches are likely to result a high risk to the rights and freedoms of natural persons. In such a situation, the controller must inform affected individuals directly in an appropriate and timely manner. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of the breach. In the personal data breach notification you need to describe, in clear and plain language, the nature of the incident and, at least:

  • the name and contact details of your data protection officer (if your organisation has one) or another contact point where more information can be obtained;
  • a description of the likely consequences of the incident; and
  • a description of the measures taken or proposed to be taken, to deal with the incident and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

Should the Processor report a personal data breach?

If your organisation acts as a data processor, and your suffer a data breach, according to GDPR you have to inform your controller without undue delay as soon as you become aware of the breach. There may be special conditions of reporting defined by data controller. The requirements for reporting personal data breach should be detailed in the Data Processing Agreement between you and your controller.

Get into control of your privacy documentation and save your time with GDPR Register's DPO productivity tools

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
Preparing Your Small Business for GDPR Compliance

Preparing Your Small Business for GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union law that protects the privacy and personal data of individuals...
The GDPR Data Map – Your Complete Guide

The GDPR Data Map – Your Complete Guide

The General Data Protection Regulation (GDPR) is a European regulation establishing the framework for personal data protection of individuals in...
GDPR in Healthcare: Compliance Guide

GDPR in Healthcare: Compliance Guide

Since General Data Protection Regulation (GDPR) entered into force, the personal data protection has become more challenging to the Healthcare...
GDPR software: 10 Great Tools For Compliance in 2024

GDPR software: 10 Great Tools For Compliance in 2024

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
The lawful basis for Data Processing under the GDPR

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6...
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)?A Data Processing Agreement (DPA) is a legally binding document to be entered into...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...