Data Breach: Notification Procedure and Response
What to do in case of personal data breach? Deadlines for reporting to DPA and notifying affected individuals.
A personal data breach is one of the most stressful events for an organization. GDPR imposes strict deadlines and requirements for handling breaches. Prepared procedure and quick response can minimize damage and legal consequences.
What is a data breach according to GDPR?
A breach is (Art. 4(12)) accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data. It includes: hacks and data leaks, lost devices with data, misdirected email, unauthorized employee access, ransomware. Not every security incident is a personal data breach.
When and how to notify the supervisory authority?
Notification to DPA is required when breach may risk individuals rights and freedoms. Deadline: 72 hours from breach discovery. Notification includes: breach description, categories and number of individuals/records, DPO contact, likely consequences, measures taken. Form available on authority website.
When to notify affected individuals?
Notifying individuals is required when breach may cause HIGH risk to their rights (Art. 34). Communication must be clear, understandable and contain: breach description, DPO contact, likely consequences, measures taken, recommended actions for individuals. Notification can be avoided if effective protective measures were applied (e.g., encryption).
How to prepare breach handling procedure?
Procedure should contain: breach definition and incident reporting channels, response team and roles, risk assessment process for individuals, notification and communication templates, escalation to management and DPO, documentation of all breaches (Art. 33(5)). Regular training and procedure tests are essential.
In case of breach, quick scope identification is crucial. **Revelio** and **Detecto** enable rapid location of what personal data was in the breached system. Precise scope assessment affects risk classification and required actions.
Breaches happen - preparation is key. Good procedure, trained team, and tools for quick scope assessment minimize damage and fine risk.