Standard Banner for GDPR Further Information Articles

Data Breach1 min read

Context:

The GDPR acknowledges that data breaches can and do occur. It seeks to have processes and controls put in place to minimise the possibility of a breach, but when there is a breach to minimise the impact and to ensure that those affected are kept informed.

Considerations:

As with other aspects of the GDPR any communications with the data subject must be in clear and plain language.

Processes must be in place to share information about data breaches both with the individual and with the supervisory authority, these processes having specific timescales assigned to them.

Documentation sent to the individual or the supervisory authority must contain specific information.

How to:

Put in place appropriate technical and organisational measures to minimise the risk of a data breach taking place.

  • In the event of discovering the breach, without undue delay:
  • Describe the data breach, the number of data records affected, the number of individuals affected and the types of data affected
  • Provide a contact where more information can be obtained, this could be your Data Protection Officer
  • Describe the likely consequences of the breach
  • Describe the measures and plans to address the breach and the affects of the breach

The data controller should also notify the supervisory authority about the breach within 72 hours, providing the detail described above.

In all cases the information should be provided only if it does not present further risk to the individual.

If for any reason information is not able to be provided to the supervisory authority within 72 hours then the reasons for this delay must be explained.

References:

  • GDPR Recitals: 85, 86, 87, 88
  • GDPR Articles: 33, 34

Leave a Comment

Your email address will not be published. Required fields are marked *