HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

GDPR Data Breach Reporting Requirements

Healthcare organizations are required to report breaches of the personal data of GDPR data subjects, but what are the GDPR data breach reporting requirements?

Breaches of the Personal Data of EU Residents

Under GDPR, personal data is any information relating to an identified or identifiable data subject: Information that could, directly or indirectly, allow a person to be identified.

In Article 4 of the GDPR, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

A data breach could be unauthorized access to a system containing personal data, theft of a device containing electronic personal data, or loss of physical or electronic data. Data corruption is also considered a data breach as is any other incident that affects the availability of personal data, such as a ransomware attack.

GDPR Data Breach Reporting Requirements

Data controllers and data processors must have robust data breach detection, investigation, and internal reporting procedures in place. A data processor must notify the data controller immediately if a data breach is suspected.

Under GDPR, if an employee discovers or suspects a data breach, it must be reported immediately to the Data Protection Officer (DPO) if the company has appointed a DPO, or to the data protection officer, privacy officer, or the security team if a DPO has not been appointed.

It is the responsibility of the DPO to report a breach to the supervisory authority. Companies that have not appointed a DPO will have to assign the responsibility for breach reporting to another individual. That individual will be the point of contact in the organization should the supervisory authority need further information about the breach.

The timescale for reporting data breaches under GDPR is far stricter than HIPAA, which allows up to 60 days for a breach to be reported. GDPR requires the supervisory authority to be notified of a data breach within 72 hours of the breach being discovered – See GDPR Article 33. A data breach must be reported unless there is unlikely to be a high risk to the rights and freedoms of data subjects.

Such a short time frame for reporting breaches means a breached entity is unlikely to have had time to investigate the breach thoroughly, so the information that can be provided to the supervisory authority at that early stage in the investigation is unlikely to be complete. It may therefore be necessary to provide breach information in stages.

GDPR Data Breach Reporting Requirements for Breach Notifications

The data breach report for the supervisory authority must contain the following information:

  • A description of the data breach
  • Categories of data subjects affected and the approximate number of individuals impacted
  • Categories and approximate number of data records affected
  • Contact details of the Data Protection Officer or other point of contact in the organization if a DPO has not been appointed
  • A description of the likely consequences of the data breach
  • A description of the steps being taken to mitigate the breach and limit adverse effects

If the 72-hour reporting deadline is missed, when the breach report is submitted it must be accompanied by a reason for the delay.

The data controller must maintain a record of all data personal data breaches, regardless of their severity, including the above information and any further action taken to address the breaches.

When Must Notifications Be Sent to Data Subjects?

Not all personal data breaches require personal notifications to be issued to affected data subjects. The requirement to send personal notifications is based on the level of risk to the rights and freedoms of data subjects. Following a data breach, a risk analysis must therefore be conducted.

If the risk analysis shows there is a high risk of the data breach adversely affecting data subjects, personal data breach notifications must be issued. Unlike HIPAA, there is no time limit for issuing these notifications per se. The notifications should be sent as soon as it is feasible to do so and without undue delay.

Data breach notifications must be written in clear language that would be understandable to a reasonable person and the personal breach notifications need to include the same categories of information as the notification for the supervisory authority.

Personal data breach notifications for data subjects are not required if any of the following conditions are met:

  • Steps have been taken to render the personal data inaccessible or unintelligible – encryption for example
  • Steps have been taken that ensure the high risk to the rights and freedoms of data subjects will no longer materialize – The remote deletion of data on a lost device, for example
  • If data breach notifications would “involve disproportionate effort.” In such cases, a public communication – such as a press release to a prominent media organization – could be issued

The supervisory authority may require the data controller to issue notifications to data subjects even if the data controller has determined there is not a high risk to the rights and freedoms of data subjects.

The GDPR data breach reporting requirements for personal notifications are detailed in Article 34 of the GDPR.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.