Let’s get started!
Ready to extend visibility, threat detection and response?
Get a DemoGDPR Data Breach Notifications: Everything You Need to Know
November 29, 2019
Last Updated:
September 23, 2024
Share on:
Millions of organizations worldwide are covered by the European Union’s General Data Protection Regulation (GDPR). GDPR does not only regulate how organizations should protect personal data, it also stipulates what an organization should do after it has undergone a security breach that affects personal data. Organizations must report a breach within 72 hours to a Data Protection Officer (DPO) in their region, and in some cases must also notify individuals whose data was exposed.
To learn about a similar requirement in other legislation, see our article on HIPAA Breach Notifications.
Data Breaches under GDPR: The 72 Hour Deadline and Potential Fines
The GDPR legislation specifies that an organization must report a security breach that affects personal data to a Data Protection Authority (DPA). According to Article 33 of the law, organizations must notify the DPA of a breach within 72 hours of becoming aware of the breach.
The law requires notification within 72 hours “where feasible”, so it is possible to request an extension, and it is also acceptable to inform the DPA in stages, as details about the breach become available.
What is the implication of failing to report a breach?
Failure to issue a breach notification can result in a fine of up to €10 million or 2% of a company’s revenues. However, European authorities emphasize that fines are a last resort and will only be used for severe or repeat offenses. The UK Information Commissioner’s Office (ICO) said that “What is foremost in regulators’ minds is not to punish the organisations, but to make them better equipped to deal with security vulnerabilities.”
What is the Official Definition of a Data Breach Under GDPR?
According to the Data Protection Commission’s Quick Guide to Breach Notifications, a breach that requires notification under GDPR is:
- An incident that causes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- ‘Personal data’ means any information concerning or relating to an identified or
- identifiable individual.
- A personal data breach is not only an incident involving loss of data, but may also include accidental exposure of data, deliberate acts to gain access to customer data, or encryption of data that renders it unaccessible.
- Personal data breach is a security incident that negatively impacts the confidentiality, integrity, or availability of personal data.
Examples of incidents could qualify as data breaches under the GDPR:
- A customer database stored on a physical device has been lost or stolen
- Personal data has been encrypted by ransomware, or accidentally encrypted by its owner and the key was lost
- Data is deleted by accident, or by an unauthorized person
- Critical personal data is rendered unavailable by a cyber attack, such as a Denial of Service (DoS) attack.
Tips From the Expert
In my experience, here are tips that can help you better manage GDPR compliance when it comes to data breaches:
- Prepare a breach response team with 24/7 coverage Ensure your breach response team is available around the clock. Since GDPR mandates reporting within 72 hours, delays during weekends or holidays can put you at risk of non-compliance.
- Set up breach detection SLAs with third-party vendors If your organization works with third-party processors or services, establish strict service-level agreements (SLAs) to guarantee they notify you of breaches immediately, giving you enough time to report to authorities within 72 hours.
- Implement advanced threat intelligence for breach visibility Use tools with advanced threat intelligence and monitoring capabilities to detect breaches as early as possible. Real-time visibility into security incidents helps minimize the time between breach detection and notification.
- Document every step of your breach response Even if you cannot notify the DPA within the 72-hour window, document your reasons for the delay, and the steps taken to mitigate the breach. This can help you avoid fines and demonstrate good faith efforts toward compliance.
- Use encryption as a preventive safeguard Ensure that sensitive data is encrypted both at rest and in transit. If encrypted data is breached, GDPR may not require you to notify data subjects, significantly reducing legal and financial risks.
Who Should You Notify When a Data Breach Occurs?
According to GDPR, your organization must send data breach notifications to one of the Data Protection Authorities across Europe. Which DPA you should report to, depends on a few factors:
- If you only operate in one European country or the data is collected, processed and used in one country, you only need to notify the local DPA in that country.
- If the data is transmitted between European countries, and you operate in one or more European countries, you should notify the DPA for the country in which decisions around the data are made. This is called a Leading Supervisory Authority (LSA). For example, if the compromised data was financial, and the company’s finance department is in the UK, even if the data was collected or processed in other European countries, the breach notification should be to the UK DPA.
- If you do not have a presence in the EU, you must report to the DPA in each European country you are active in.
Most DPAs provide an online form you can use to report the data breach. You should prepare as much information as possible in advance, so you have it ready when you start filling the form.
The DPAs for each EU member state are listed by the European Data Protection Board on this page.
What Do You Need to Report in your Data Breach Notification?
Below is the mandatory information that should be included in a breach notification letter to the relevant DPA.
| Nature of the Breach | How the breach happened, how many individuals were affected, categories of data affected, how many records were lost, exposed, etc. |
|---|---|
| Contact Persons | Name and contact details of the entity considered the point of contact for data protection in your organization – a Data Protection Officer (DPO), EU representative, etc. |
| Consequences of the Breach | Explain what could happen as a result of the breach. Can the loss or exposure of data lead to identity theft, financial damages, or other negative consequences? |
| Measures Taken | Explain what you have done, or plan to do in the future, to address the breach. This should include how to solve the immediate problem – for example how to decrypt or restore the data – and how to prevent and mitigate similar incidents in future. |
Data Breach Notification for Data Subjects
If a data breach is likely to result in risks to EU consumers who are the owners of the data (“data subjects” in GDPR terminology), you need to notify the data subjects directly about the data breach.
In general, if you notify the DPA about a data breach you are probably also required to notify data subjects. There are a few exceptions:
- Data was encrypted or anonymized in such a way that third parties cannot use it
- You have taken corrective measures and prevented any risk to data subjects
- It requires a very large, disproportionate effort to individually notify data subjects
Cynet 360: End-to-End Security for GDPR Compliance
Cynet 360 is a holistic security platform including monitoring and control, prevention and detection of attacks, response orchestration, and managed incident response services. Cynet is designed to help with regulatory compliance, and can help with three of the key principles of GDPR for processing personal data. Cynet can assure data is stored with integrity and confidentiality, and helps with accountability by providing advanced prevention and detection tools.
Learn how the Cynet 360 platform helps you meet GDPR requirements.