6 minutes reading

Data Breach Notifications Under GDPR | A Complete Guide

Data privacy officers (DPOs) and compliance officers are the first responders in the event of a data breach. Like all emergency workers, they must stand at the ready, prepared to jump into decisive action at a moment’s notice. 

Upon discovery of a suspected data breach, the DPO must immediately investigate the circumstances to determine what, if any, information was compromised and assess the risks to determine whether data breach notifications are required. 

There are two types of data breach notifications under the General Data Protection Regulation (GDPR). The first is a notification to the data protection authority (DPA) if harm is likely to occur as a result of the breach. The second advises those affected, called data subjects, about the breach. Generally, data breach notifications should detail what happened, outline the measures the organization is taking to deal with the breach and mitigate its adverse effects, and explain what may happen as a result of the breach. 

Let’s take a closer look at both types of notifications as well as the events that trigger them. 

Contents

What is a personal data breach?
When does an organization have to notify the authorities of a breach under the GDPR?
What should a notification to the authorities contain?
When does an organization have to communicate a personal data breach to data subjects?
What does an organization need to report to data subjects?
What are the best practices for data breach notification and GDPR compliance?
How can eDiscovery technology help organizations meet the 72-hour reporting deadline? 

What is a personal data breach? 

A personal data breach is a security incident that affects the confidentiality, integrity, or availability of personal data. Article 4(12) of the GDPR defines a personal data breach as a security breach leading to “the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data.” 

Personal data breaches can result inadvertently, such as when someone accidentally sends an email with personal data to the wrong recipient, or deliberately, such as when an unauthorized third party hacks into a company network to access confidential personnel files.

If personal data was compromised and the risks are significant enough to affect a data subject’s rights and freedoms, then the breach must be reported to two groups: the appropriate DPA and the affected data subjects. Let’s take a closer look at what triggers a required notification. 

When does an organization have to notify the authorities of a breach under the GDPR? 

The default position under the GDPR is that the appropriate DPA must be notified of all data breaches unless the DPO can demonstrate that the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” 

What the appropriate DPA is for a notification will depend on where the organization operates and where it has transmitted data. If the company is located in the EU and only operates in one country, it should report the breach to the DPA of that country. If it operates in multiple countries, it should report the breach to the DPA of the country where it makes decisions about data. If the company doesn’t have a presence inside the EU, it should report a breach to the DPA of every country where it operates. 

The DPO’s risk assessment is pivotal to determining the appropriate response to a data breach. Failing to adequately assess the risk associated with a personal data breach can result in failing to meet the GDPR’s obligations. To determine whether a breach requires notification, the organization must have a high-quality process for risk management and robust processes for breach detection, investigation, and reporting. 

DPOs must have sufficient technical knowledge, training, and IT support to ensure that they can make accurate assessments and act without undue delay in the event of a security incident. This is a particular concern for small and medium-sized organizations, where the person responsible for compliance might also have many other responsibilities. 

Quick, competent assessment is also necessary because time is of the essence with data breach notifications. Organizations must report a breach to the appropriate DPA without “undue delay” and no later than 72 hours after becoming aware of the breach. If the DPO doesn’t meet the 72-hour deadline, they must be prepared to explain the delay. 

What should a notification to the authorities contain? 

Some DPAs have a portal for reporting notifications on their website along with a specific form to use. Others, like the UK’s Information Commissioner's Office, request notification by telephone if possible. 

No matter the form of notification, the GDPR requires an organization to disclose five things: 

  • a description of the nature of the personal data breach, including the categories and approximate number of data subjects and personal data records affected;
  • a description of the likely consequences of the personal data breach;
  • information regarding how and when the organization became aware of the personal data breach and, if necessary, an explanation for any delay;
  • a description of the measures taken or proposed to be taken to address the personal data breach, including measures to mitigate possible adverse effects; and
  • the name and contact details of the DPO. 

An organization must provide an initial breach notification within the required timeline even if it does not yet have complete information about the circumstances of the breach. 

When does an organization have to communicate a personal data breach to data subjects? 

When a personal data breach is “likely to result in a high risk to the rights and freedoms of the natural person,” then the data breach subject must be notified “without undue delay.” This is a higher standard than notifying the DPA and requires an assessment of the severity of the potential or actual impact on individuals and the likelihood of such an impact occurring. 

What does an organization need to report to data subjects? 

The communication should inform the data breach subject in simple, clear language of the nature of the personal data breach and any recommendations to mitigate the potentially adverse effects of the breach. Article 34(2) of the GDPR also requires that the data subject be informed of: 

the name and contact details of the organization’s DPO;
a description of the likely consequences of the personal data breach; and
a description of the measures the organization has taken or plans to take to address the personal data breach, including measures to limit its possible adverse effects. 

Recognizing that it may not be possible to investigate a breach fully within 72 hours, Article 33(4) of the GDPR allows the organization to provide information on a rolling basis. 

What are the best practices for data breach notification and GDPR compliance? 

To ensure compliance with the GDPR, the DPO and compliance officers must ensure they fulfill their obligations to communicate about potential data breaches. To do this, they must: 

  • have robust processes in place to ensure breaches are promptly detected;
  • understand the immediacy of the timetable once there is awareness of a personal data breach;
  • document and keep accurate records of all breaches, regardless of whether notification is required;
  • document the factual circumstances and judgments underscoring each risk assessment;
  • have policies and procedures in place to ensure that notification obligations are satisfied; and
  • stay up to date on the DPA’s guidance on personal data breach notifications to ensure compliance under Article 33 of the GDPR. 

How can eDiscovery technology help organizations meet the 72-hour reporting deadline? 

Increasingly, DPOs are turning to eDiscovery analytics software to help them satisfy their GDPR obligations. Responding to data breaches requires fast and accurate action, without which organizations can face legal liability for their failure to send timely notifications. 

Sometimes it isn’t possible to provide the DPA with all of the relevant information within the 72-hour notification window. While the GDPR allows additional information to be provided in phases, the use of powerful analytical software can shorten the timeline for risk assessment. 

eDiscovery software reveals critical data quickly, accelerating the assessment process and helping organizations determine whether notification is required and, if so, to whom. For example, organizations can use deduplication to expedite review by removing duplicate files. They can then deploy a pattern-recognition tool to find patterns in data, such as Social Security numbers, ID numbers, phone numbers, and other personal data. Proximity search can help identify when there is relevant information adjacent to personal data in the data set. And technology-assisted review (TAR) can prioritize data for review based on relevancy algorithms, weeding out irrelevant information and giving organizations the rapid insight they need for quicker response and remediation. 

ZyLAB ONE helps organizations identify critical information quickly in a crisis. That lets them promptly make decisions that can minimize the breach’s damage to both data subjects and the organization itself. Contact us today to learn more.