HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

GDPR Data Breach Notification Rules

The General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, makes a number of changes to how organizations can use personal data, but it has also changed the rules of how data breach notifications should be issued.

Both data controllers and data processors are obligated to put sufficient apparatus and methods to safeguard the information they hold and process in place. While exact means are not specified, it is stated in Article 32, Security of processing, and several other times in the legislation, that the “appropriate technical and organisational measures to ensure a level of security appropriate to the risk” should be implemented. A non-exhaustive list of examples of security measures that may be considered is also given. The list includes pseudonymization and encryption, as well as procedures to ensure the confidentiality of data, to quickly restore access to data following incidents, and to regularly test the security measures.

The security system and procedures must be documented so that compliance with the regulations can be proven. If an organization is unable to show that it has the necessary security infrastructure and testing in place, they risk being labeled as non-compliant and facing penalties.

When Should a Breach Notification be Issued?

In GDPR Article 4, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.


    GDPR Compliance Checklist
    for American Companies

    Immediate Access
    Privacy Policy

    Under Article 33, Notification of a personal data breach to the supervisory authority, data controllers are obligated to report data breaches to the appropriate agency within 72 hours of discovery of the breach. If the report is not made within 72 hours, the reason for the delay must be explained to the authority. If a data breach occurs and it is determined that there is a low probability that a data subject – a person who the data is related to – will have their rights of freedom affected, then the breach does not have to be reported within the 72 hour time limit.

    Controller notifications to data subjects are not held to a fixed deadline, but must be made “without undue delay”. Data processors are also required to notify the relevant data controller “without undue delay” following the discovery of a breach.

    What Should be Included in a Data Breach Notification?

    The data controller is responsible for reporting the breach to the authority, even in cases where the processor is the source of the breach. There are certain elements which are required to be included in the notification to the authority, in so far as possible. These are:

    • the nature of the personal data
    • the categories of data involved
    • the approximate number of data subjects impacted
    • the approximate number of data records impacted
    • the name and contact details of the data protection officer or the main information contact
    • a description of the probable consequences of the breach
    • a description of the actions being or to be taken by the controller to minimize the damage and prevent future breaches of the same kind from occurring

    The above information can be provided all at once or as it becomes available without unnecessary delay. All of this should be documented to allow a review of compliance at a later date.

    Controllers will also be responsible for notifying data subjects following some breaches where there is an elevated risk to the concerned individual’s rights and freedoms. Notification is not needed if measures were in place that would “render the personal data unintelligible to any person who is not authorised to access it, such as encryption”; if the actions taken following the breach make harm to the rights and freedoms of the individual unlikely to occur; or if notification would require “disproportionate effort” – in which case an effective means of publicly informing data subjects may be used.

    Similar to notifications to the authority, notifications to data subjects must include:

    • the name and contact details of data protection officer or main information contact
    • a description of the probable consequences of the breaches
    • a description of the actions being or to be taken by the controller to minimize the damage and prevent future breaches of the same kind from occurring

    Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.