If a personal data breach communication must be provided to an individual, it must describe in clear and plain language the nature of the personal data breach. If a notification to a supervisory authority of a personal data breach must be given, the description of the nature of the personal data breach should include if possible:
- The categories and approximate number of individuals concerned, and
- The categories and approximate number of personal data records concerned.
The communication to the individuals and the notification to the supervisory authority also should contain:
- The name and contact details of your data protection officer or other contact point where more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, if appropriate, measures to mitigate its possible adverse effects.
If all this information cannot be provided to the supervisory authority at once, it may be provided as soon as it becomes available.
If the controller does not provide a personal data breach communication to individuals, the supervisory authority, if it decides none of the conditions excusing the providing of a communication have been met, may require the controller to provide a communication, after having considered the likelihood of the personal data breach resulting in a high risk to the rights and freedoms of individuals.
This blog is the 27th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation. Each of the bite size pieces is part of one of the eight topics in GDPRsimple.
Next blog: Why you should have a Personal Data Breach Policy and what should be in it?