Data security and privacy are the central tenets of GDPR. Besides enforcing regulations to protect the security and privacy of individual data, GDPR also lays down stipulations on what an organization must do after it faces a data breach.
In this article on our GDPR Series, let’s see the GDPR provisions related to data breaches and what actions you can take.
GDPR Provisions
Articles 33 and 34 of GDPR deal with personal data breaches. While Article 33 talks about notifying the breach to a supervisory authority, article 34 lays down the rules to communicate the breach to an impacted data subject.
Let’s take a brief look at each article.
Article 33
This GDPR article requires you to report a breach within 72 hours after you become aware of it. If you don’t report, you must provide reasons for the delay.
Your notification must include the following:
- Nature of the breach.
- If possible, the categories, and the number of impacted records.
- Name and contact details of the Data Protection Officer (DPO) who can provide more information when requested.
- Likely consequences of the breach.
- Measures taken to address the breach, including mitigation strategy.
You must provide the above information as soon as possible. Also, document the breach and its associated details for the supervisory authority to verify compliance.
Article 34
This article lays down the stipulations for communicating the breach to an impacted data subject. You must communicate to the data subject of a breach if there’s a high risk to that individual’s rights and freedom. You must use clear and concise language and include as much information as possible, including the information mentioned in Article 33.
However, no communication is required if you:
- Used encryption and other measures that render personal data unintelligible or unreadable to a third party.
- Intervened appropriately, resulting in no risk for a data subject.
- Have to put in disproportionate effort to communicate to every impacted person, typically if the numbers run into millions. In such cases, a public notice or communication is acceptable.
Finally, the supervisory authority can require you to notify data subjects if it believes that there’s a high risk to data subjects, even if the breach meets the “no communication required” criteria.
Now that you know the GDPR provisions for notifications, let’s look at how you can comply with them.
10 Best Practices for Handling Data Breaches
Below are some best practices that you can follow to handle data breaches:
- Create a detailed plan outlining the steps that must be taken.
- Assign specific roles and responsibilities to employees and ensure everyone knows what they must do when a breach happens.
- Form an incident response team with members from different teams.
- Use security monitoring tools to detect any unusual activity that can help identify potential breaches.
- Conduct regular drills and simulations to test your plan and make improvements accordingly.
- Maintain a comprehensive record of breaches and responses to demonstrate compliance.
- If required, have processes to inform the data subjects.
- Work with the legal and regulatory teams to handle reporting.
- Take measures to manage public relations.
- Review the incident response process and make necessary changes as needed.
Thus, these are some things you can do to notify authorities and data subjects about a breach. Besides meeting compliance, such communication can help build trust in your business.
Final Words
In all, GDPR mandates notifications to the regulatory authority when a data breach occurs, typically within 72 hours after you identify it. In some cases, you may also have to inform data subjects, especially if there’s a risk to their freedom and rights. In this article, we looked at some best practices you can follow to comply with these regulations and earn the trust of your stakeholders.