Step 9. Review Breach Notification and Incident Response Procedures

9. Review Breach Notification and Incident Response Procedures – GDPR consultant 12 step guide to GDPR compliance

Under GDPR, your data breach notification and incident response procedures must enable you to tell your supervisory authority about a data breach within 72 hours of discovering it. You should make sure you have the right procedures in place to detect, report and investigate a ‘personal data breach’.

The GDPR and the Directive define personal data as

any information relating to an identified or identifiable natural person (“data subject”).”

Under the GDPR, a personal data breach is

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Who needs to be notified?

In the event of a personal data breach, data controllers must notify the supervisory authority “competent under Article 55“. This is most likely the supervisory authority of the member state where the controller has its main establishment or only establishment, according to Article 56(1), although this is not entirely clear. Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.

Article 33(1) contains a key exception to the supervisory authority notification requirement: Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons”. This will no doubt offer data protection officers, and their outside counsel, opportunities to debate the necessity of notification.

What information should be included in a notification?

  • describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected

  • provide the data protection officer’s contact information

  • describe the likely consequences of the personal data breach

  • describe how the controller proposes to address the breach, including any mitigation efforts

If the information is not all available at once, it may be provided in phases.

When a data processor experiences a personal data breach, it must notify the controller but otherwise has no other notification or reporting obligation under the GDPR.

If the controller has determined that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals”, information regarding the personal data breach must be communicated to the affected data subjects and, under Article 34, this must be done “without undue delay”.

The GDPR provides exceptions to this notifying data subjects in the following circumstances:

The controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”.

The controller takes action after a personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” does not materialize.

When notification to each data subject would “involve disproportionate effort”, in which case alternative communication measures may be used.

Assuming the controller has notified the appropriate supervisory authority of a personal data breach, their discretion to notify data subjects is limited by the DPA’s ability, under Article 34(4), to require notification or conversely to determine it is unnecessary under the circumstances.