A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Data processors must notify the data controller without undue delay after becoming aware of a personal data breach.
Data controllers must notify the supervisory authority (the ICO (Information Commissioner’s Office) in the UK) without undue delay when they become aware of personal data breaches that are likely to result in a risk to data subjects’ rights and freedoms.
Where feasible, this must be done within 72 hours. Failure to do so could leave you facing administrative fines of up to €10 million or 2% of annual global turnover – whichever is greater.
Data controllers must also notify data subjects without undue delay if there is a high risk to their rights and freedoms. Note that, if the breached data is anonymised or encrypted to the extent that it is no longer possible to identify data subjects, there is no risk, and no notification is required.
According to Article 33, data controllers must provide the following information to the supervisory authority:
- A description of the nature of the personal data breach including, where possible, the categories and approximate number of individuals concerned, and the categories and approximate number of personal data records concerned;
- The name and contact details of your DPO or other contact point from whom more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures you have taken, or propose to take, to deal with the breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
If you don’t have all the information to hand within 72 hours, don’t worry: the GDPR allows you to provide the information in phases, although you must provide an explanation for the delay.
If you need urgent help then you contact us on 020 4525 3748 and we can offer urgent, expert advice.