What is a data breach under the GDPR and what do you do when one happens?

Under the GDPR, the term “personal data breach” means a breach of security that leads to the:

  • Accidental or unlawful destruction or loss of,
  • Accidental or unlawful alteration of, or
  • Unauthorized disclosure of, or access to,

personal data that have been transmitted, stored or processed in some other way. 

After becoming aware of a personal data breach, you without undue delay must notify:

  • The supervisory authority, if you are the controller, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals
    • The notification must be given if feasible within 72 hours after you became aware of the personal data breach
    • Where notification is not made within 72 hours, the notification must set forth the reasons for the delay

This notification is unnecessary if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

  • The controller, if you are the processor, without undue delay.

When the personal data breach is likely to result is a high risk to the rights and freedoms of individuals, the controller must communicate with the individual without undue delay.  This communication is unnecessary if any of the following conditions are met:

  • Appropriate technical and organization protection measures have been implemented by the controller, and those measures were applied to the personal data affected by the personal data breach (e.g. encryption)
  • Subsequent measures have been taken by the controller that make high risks to the rights and freedoms of individuals no longer likely to materialize
  • Disproportionate effort is involved.  In this case, a public, or similar equally effective, communication should be given to individuals

The controller must keep a record of any personal data breaches.  This record should contain:

  • The facts relating to the personal data breach,
  • Its effects, and t
  • The remedial action taken.

This blog is the 25th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  What needs to be in a personal data breach notification?

Leave a comment

Your email address will not be published. Required fields are marked *