Articles 33 and 34 set out the conditions for notifying the supervisory authority of data breaches and communicating breaches to data subjects.
They state that:
- Data processors must report all breaches of personal data to data controllers “without undue delay”;
- Data controllers must report breaches to the supervisory authority (the ICO in the UK) within 72 hours of becoming aware of them if there is a risk to data subjects’ rights and freedoms; and
- Data subjects themselves must be notified “without undue delay” if there is a high risk to their rights and freedoms.
A data breach notification procedure should set out the roles and responsibilities that will enable you to fulfil these obligations.
