When are GDPR Personal Data Breach Notifications Required?

Share this article on:

GDPR personal data breach notifications must be issued to the competent supervisory authority in the event of a breach of personal data unless the breach is unlikely to result in a risk of adverse effects on data subjects. Data breach notifications must be issued to data subjects when there is a high risk to the rights and freedoms of those individuals as a result of the breach.

Requirements for GDPR Personal Data Breach Notifications

On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) becomes enforceable. While there are many requirements to ensure compliance with GDPR, one of those is the mandatory reporting of breaches of personal data.

While security breaches may need to be reported to other entities under state or federal laws, GDPR only requires notifications to be issued when the personal data of EU citizens is breached.

GDPR personal data breach notifications are required for “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

If that is the case, an assessment must be made to determine the level of risk faced by data subjects. If a breach is unlikely to result in a risk of adverse effects, notifications are not required. If the breach does involve increased risk, the controller must notify the competent supervisory authority, or in the event of a data breach affecting individuals in more than one member state, to each relevant competent supervisory authority.

Notifications are also required for individuals impacted by the breach if they face a high risk to their rights and freedoms. In such cases, those individuals should be advised of the nature of the breach and be provided with information on the steps they can take to mitigate risk and protect themselves from the possible consequences of the breach. Those notifications must be issued as soon as is reasonably feasible.

It is essential that policies are developed to enable a fast response to a breach of personal data as part of an organization’s GDPR compliance efforts. Entities only have 72 hours from becoming ‘aware’ of a breach to report the incident. That is a maximum timeframe for reporting. Breach notifications should be issued without undue delay, within that 72-hour window. If the time limit of 72 hours is exceeded, an entity would be liable for a fine for noncompliance, and those fines can be considerable.

The question of when a controller becomes aware of a data breach should be clarified. Awareness of a breach is when the controller can say, with a reasonable degree of certainty, that a breach is likely to have occurred that has resulted in personal data being compromised.

Details of the breach, the actions taken to mitigate risk and control the breach, along with copies of the notifications issued should be retained in case of an audit.

Guidelines on GDPR Personal Data Breach Notifications Issued

Since GDPR regulations on data breaches are complex, to aid understanding and help organizations comply with GDPR, the Article 29 Working Group has released guidelines on GDPR personal data breach notifications. The guidelines confirm the definition of a breach, when breaches are reportable, and provide examples to illustrate when the competent supervisory authority and data subjects must be notified.

Read more detailed information on GDPR compliance for US companies here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On