A personal data breach is a security risk that affects personal data in some way. If a breach occurs, the data controller has to do certain things. Depending on how severe the breach is, the data controller has to act in different ways. This means that a data processor should always report a breach to the data controller
Reading time: 1,5 minutes.
What does a personal data breach mean?
A personal data breach may put data subjects’ rights and freedoms at risk. This can include physical, material or non-material risks. Examples are identity theft, fraud and other financial loss. Other cases include damage to reputation or social disadvantage.
When must it be reported, and to whom?
When it is unlikely that the breach will lead to risks, reporting is not necessary. However, if it is likely, the breach must be reported.
In cases where it is likely that the breach will lead to high risks, you must report the breach. In such a case, data controllers need to inform affected individuals as well. The information given to individuals needs to include the potential consequences of the breach. Information about what is being done to minimise the subsequent risks is also needed.
Sometimes, the supervisory authority may instruct data controllers to inform data subjects. Such instructions may also include telling them how to tell data subjects.
Companies and organisations must report the data breach to the supervisory authority concerned within 72 hours. The 72-hour rule was newly introduced with the GDPR. The clock starts counting down after the data controller has been made aware of the breach.
What should the report include?
The following are examples of what the report to the supervisory authority needs to include:
- a description of the nature of the personal data breach;
- the contact details of the Data Protection Officer or other relevant people;
- the likely consequences of the personal data breach; and
- what actions have been taken or proposed to resolve the personal data breach.