The General Data Protection Regulation (GDPR) Act is a set of defined privacy laws that specify how a company must manage and safeguard personal data of European Union residents (EU). The Regulation also lays out how businesses may disclose a data breach.
The criteria for breach notification are outlined in Articles 33 and 34, yet most firms are still uninformed of their obligations. Businesses frequently neglect details such as what an organization should disclose, when it should report it, to whom it should be reported, and what should be included in the breach notice. Significant fines may be imposed as a result of this carelessness.
The company has many essential obligations as a Data Controller (it keeps and/or manages data), including taking appropriate precautions and informing competent authorities and impacted persons in the case of a data breach. Let’s start with a definition of a personal data breach, as defined by the GDPR Regulation.
Who should be informed if there has been a data breach?
Once a personal data breach has been detected, businesses must disclose the breach to the appropriate supervisory body in line with Chapter 6.
If a firm has no legally established presence in the EU but is nonetheless involved in an event involving EU citizen data, it is required to notify the local regulatory authorities of each Member State in which it operates and is affected by the incident. As previously mentioned, companies must notify within 72 hours of becoming aware of a data breach.
The organization must also notify all impacted persons after informing the supervisory authority. They should, at the absolute least, make a statement informing them that an event has occurred. Although it is not expressly stated in the law, an organization can exhibit greater openness by creating a website and a toll-free hotline for individuals to contact in order to learn more about the incident and have their concerns answered.
Obligations to report after a data breach per GDPR
The company must inform the appropriate supervisory authority and the people who have been impacted, it is also critical to provide all relevant information about the data breach occurrence. The following are some of the details that should be included in a data breach notification:
- When did the breach happen, and how did it become discovered?
- The types or categories of personal information that were impacted.
- The scope of the data breach, both in terms of the amount of records compromised and the number of persons affected.
- The breach’s possible impact on data subjects.
- In terms of services given to users, the impact on the company.
- Time it takes to recover from the effects of a data breach.
- Measures made to rectify the situation and prevent it from happening again.
- Name and contact information for the Data Protection Officer (DPO) in case you need more information regarding the data breach.
It’s worth noting that when alerting persons affected by an event, companies are obligated to disclose facts including the type of the personal data compromised and advice for the impacted person on how to reduce the incident’s potential harm. Again, depending on the sector, reporting a data breach under GDPR may also imply reporting the event under other data protection laws such as HIPAA, PIPEDA, and/or local laws.
Every company must adhere to the GDPR’s Breach Notification requirements. While this does not mitigate the incident’s outcomes, it does assist to mitigate the incident’s effect and escalation. It may be viewed as a tool for businesses to reduce the danger of personal data breaches.
Because regulators recognize that a comprehensive investigation of a personal data breach cannot be completed in 72 hours, Article 33(4) permits companies to submit the essential information in stages without excessive delay. Organizations must, however, accelerate the process, prioritize the inquiry, and submit further information as soon as feasible. If all of the facts are not supplied within 72 hours, the organization must offer a good reason for the delay and a deadline for delivering more information.