The General Data Protection Regulation (GDPR) safeguards digital privacy for European Union residents. The European privacy regulation includes strict data breach notification requirements. Even if a data breach is not serious, failure to follow reporting rules can have damaging consequences. This article will explain how GDPR breach reporting works and how to avoid compliance penalties.
Key takeaways
- Under GDPR, organizations must report a personal data breach to a Data Protection Officer (DPO) within 72 hours.
- Failing to report a data breach can lead to fines of up to €10 million or 2% of global revenues. Fines can rise to 4% of international revenues for larger companies.
- GDPR data breaches include unauthorized access. Loss, alteration, or disclosure of personal data are also regulatory violations.
- Companies must notify the appropriate Data Protection Authority (DPA). DPAs vary depending on the location of the organization's operations and data.
- Breach notifications include details about the data breach and contact information. They also detail the consequences of the breach and document measures taken to address and prevent similar incidents.
What is GDPR breach notification?
A data breach is an incident that exposes or potentially exposes personal data. Preventing breaches is one of the core objectives of the GDPR. And organizations that put data at risk are liable for severe financial penalties from European regulators.
Article 33 of the General Data Protection Regulation deals with breach notification. This article sets a 72-hour deadline for data breach reporting. It includes information about what to include and who to notify.
Under EU law, disclosure of identifiable data can potentially harm individuals concerned. The possibility of harm explains why security breach penalties are so severe and why breach reporting is a regulatory priority.
Understanding the scope of data breaches under GDPR
According to Article 33, a data breach occurs when companies violate EU data protection rules or data privacy legislation. Potential breaches include:
- Incidents destroy or change personal data without consent from data subjects
- The encryption of concealment of personal data, making it unavailable for data subjects
- The disclosure of individual information without authorization from data subjects
- Allowing unauthorized individuals access to private data
“Personal data” is a special category under GDPR. It refers to data that can identify an individual, either alone or in combination with other information.
Companies seeking to avoid a personal data breach must protect personally identifiable information with adequate controls. They must also meet the three core principles regarding user rights:
- Confidentiality. Companies can only share or disclose personal data with consent from individuals.
- Availability. Data subjects can access, change, and delete personal data.
- Integrity. Data must remain consistent. Unauthorized editing is prohibited.
There are many types of data breaches under GDPR. All breaches require notification. For example:
- Companies could accidentally lose or destroy health records. Even if there is no evidence of harmful exposure, this counts as a personal data breach.
- Organizations can allow too much access for employees to sensitive data. Exposure of personal data to a single unauthorized employee could be an actionable data breach.
- Corporate networks could suffer ransomware attacks that encrypt user data. This prevents subject access requests and compromises data availability.
GDPR breach reporting requirements: the 72-hour deadline
You must notify regulators within 72 hours following a data breach. This period begins when:
- The data controller detects a personal data breach
- The controller receives a breach notification from a data processor
When a data breach occurs, the controller must notify its DPO. The DPO must then notify Data Protection Authorities (DPAs) wherever data exposure has occurred. If there are any delays, the reporting organization must include an explanation.
DPO responsibilities for notification include:
- The nature of the breach
- The number of affected records
- Contact details for the DPO
- Consequences of the breach
- Mitigation measures
Potential consequences of failing to report a breach
Failure to report a personal data breach can result in significant GDPR penalties. Poor reporting also has wider implications for the health of businesses.
EU regulators can levy penalties of €10 million or 2% of global turnover for not reporting less serious breaches. Penalties rise to €20 million or 4% of turnover for the largest personal data breach cases. There are no upper limits to this amount. Regulators will apply the highest possible fine according to GDPR rules.
The consequences extend beyond fines. Companies with a poor compliance record lose customer trust, their reputation suffers with potential business partners, and their brand will struggle to compete in the European market.
A personal data breach could also lead to lawsuits from data subjects. Damages from these lawsuits can multiply the fines levied by regulators. In some cases, criminal investigations can follow GDPR penalties. Having a robust breach detection and reporting system is essential.
Who should be notified when a data breach occurs?
Companies must report every personal data breach to a relevant Data Protection Authority (DPA). Every European Union country has a DPA, which applies data protection regulations and investigates breaches.
- If breaches expose data in a single country, the Data Protection Officer only needs to notify the local DPA.
- Data controllers operating in many EU jurisdictions must notify the Lead Supervisory Authority (LSA). The LSA is in the country where the controller makes decisions about handling and protecting data.
- Companies with no European office must notify regulators wherever data is exposed.
Notification of data subjects: assessing risks and exceptions
Companies may need to notify data subjects following a personal data breach. Reporting to individuals applies if there is a risk of harm to the data owner. Examples of harm include the exposure of data leading to reputational damage. Or it could entail identity theft for use in financial crimes.
When calculating the risk of harm, DPOs should assess:
- How many individuals are affected by the personal data breach
- The identity of those affected
- Whether the personal data breach has exposed sensitive data
- Whether the exposure of sensitive data has led to a high risk of harm
In practice, if a breach is reportable to regulators, the data controller should usually inform data subjects. However, there may be some exceptions to this rule.
For instance, a data breach may technically expose high-risk data. However, encryption makes exposed personal data unusable, ensuring that the data remains unavailable to outsiders. The breach would, therefore, carry a limited risk of harm.
Mitigation measures by a controller can also address risks to individuals. Prompt corrective actions can make further notification unnecessary. For instance, organizations might immediately block unauthorized access following a personal data breach. If they quickly allow users to gain access to their data, this may not be a regulatory violation.
Sometimes, the burden of reporting to subjects outweighs the risks to individuals. In this case, the data controller must explain why. It must prove to regulators that notification actions are excessive or not worthwhile.
Report breaches to avoid GDPR penalties
Reporting data breaches is a critical part of complying with GDPR. And the scope of breach reporting is wider than you might think.
Data breaches cover the exposure of personal data to unauthorized actors. Companies need to notify regulators about the deletion or alteration of data without consent. And data breach reporting also covers instances when users cannot exercise their right to access data.
Compliant organizations must ensure notification within 72 hours of every personal data breach. They need to ensure they notify regulators and relevant individuals. Taking proactive steps to remedy GDPR issues is also crucial.
Companies that lack these policies and procedures will suffer severe regulatory penalties. Establish breach reporting measures and ensure your data protection setup is GDPR compliant.
Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.