Overview
This article requires controllers to notify the supervisory authority of a personal data breach within 72 hours of becoming aware, unless the breach is unlikely to pose a risk to individuals’ rights and freedoms. Notifications must include details such as the nature of the breach, affected data subjects, records involved, potential consequences, and mitigation measures. Processors must inform controllers promptly about breaches, and all breaches must be documented.
Key Principles
Timely Notification: Controllers must report breaches to supervisory authorities within 72 hours.
Risk-Based Assessment: Notifications are required only if the breach poses a risk to data subjects’ rights and freedoms.
Transparency: Include details on breach nature, affected individuals, records, consequences, and mitigation actions.
Accountability: Maintain a documented record of all breaches, including those not requiring notification.
Processor Obligations: Processors must inform controllers promptly to enable timely reporting.
Organizational Applicability
This article applies to all organizations processing personal data within the EU:
Controllers responsible for personal data of EU/EEA data subjects.
Processors managing personal data on behalf of controllers.
Public and private sector entities with obligations to report or manage data breaches.
Teams handling IT security, incident response, compliance, and legal operations.
Implementation Requirements
Establish procedures for detecting, assessing, and reporting breaches.
Notify supervisory authorities within 72 hours of identifying a breach that poses risk.
Document all breaches, including nature, data involved, consequences, and mitigation measures.
Ensure processors are aware of their obligation to promptly inform controllers.
Implementation Guidance
Implement an incident response plan with defined roles and responsibilities.
Use logging and monitoring tools to detect breaches quickly.
Train staff on breach reporting procedures and escalation paths.
Periodically test incident response processes to ensure timely and accurate reporting.
Periodic Review
Frequency: Annually or after significant incidents or changes in processing activities.
Responsible Role: Data Protection Officer (DPO), IT Security Team, or Compliance Team.
Outcome: Ensure breach notifications are timely, complete, and compliant with GDPR, and documentation is accurate.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover.
Legal Exposure: Enforcement actions for delayed or incomplete breach notifications.
Reputational Damage: Loss of trust from data subjects, regulators, and partners.
Operational Risk: Inadequate breach management may exacerbate impacts and regulatory scrutiny.