The GDPR acknowledges that data breaches can and do occur. It seeks to have processes and controls put in place to minimise the possibility of a breach, but when there is a breach to minimise the impact and to ensure that those affected are kept informed.
Processes must be in place to share information about data breaches both with the individual and with the supervisory authority, these processes having specific timescales assigned to them.
Documentation sent to the individual or the supervisory authority must contain specific information.
Put in place appropriate technical and organisational measures to minimise the risk of a data breach taking place.
- In the event of discovering the breach, without undue delay:
- Describe the data breach, the number of data records affected, the number of individuals affected and the types of data affected
- Provide a contact where more information can be obtained, this could be your Data Protection Officer
- Describe the likely consequences of the breach
- Describe the measures and plans to address the breach and the affects of the breach
In all cases the information should be provided only if it does not present further risk to the individual.
If for any reason information is not able to be provided to the supervisory authority within 72 hours then the reasons for this delay must be explained.
- GDPR Recitals: 85, 86, 87, 88
- GDPR Articles: 33, 34