To save yourself from the hefty fines that follow a data breach affecting people in the European Union, you need to follow the General Data Protection Regulation to a tee. It’s mandatory for your organization to inform individuals that their data may have been breached. So, let’s look at how to put together a GDPR breach notification and what information you should include…
In the Cost of Data Breach Report 2021, IBM reported that customers’ personally identifiable information was included in 44% of breaches, making it the most common type of record lost. If your organization has been affected by a data breach, you must report the incident to the relevant authorities as per the applicable regulations. No one is exempt from GDPR breach reporting; even Amazon received a whopping $888 million (€746 million) GDPR violation fine in July 2021!
The General data protection regulation (GDPR) is a data privacy regulation that went into effect on May 25, 2018 to protect the data privacy and integrity of the people located in the European Union (EU). The act applies to virtually all organizations that gather, process and/or store the data of these covered individuals for commercial or professional purposes, regardless of whether the organization collecting the data is located in the EU.
If your organization experiences a data breach, you need to report the breach in accordance with the rules outlined by GDPR. In our previous article, we explained what the GDPR reporting requirements are. In this article, we’ll look at two examples of GDPR data breach notifications. But first, we’ll walk you through what information to include and explore a GDPR breach notification template to help you notify affected parties.
Who Must Issue a GDPR Data Breach Notification?
The European Commission describes GDPR as applying to businesses and organizations that can be described as the following:
“1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.”
The above regulations define the applicability of GDPR. If you’re one of these types of organizations, it’s likely that GDPR applies to you. However, there are the following exceptions to the rule:
- GDPR doesn’t apply if the data is collected solely for personal purposes or as household activity. (It only applies to professional and commercial uses.)
- If the organization collecting or processing the data has less than 250 employees (SMEs), then such an organization is not obligated to keep records, according to GDPR Article 30.5.
Noteworthy GDPR Terms You Should Know
It is crucial to know whether you’re operating in accordance with GDPR guidelines and whether GDPR regulations even apply to you. So, let’s look at the terms used in the GDPR to describe different parties:
- Data subjects: Data subjects are individuals whose data is processed by a third party. When you buy something online, the vendor collects your data like name, address, phone number, and bank details. You are the data subject in this case.
- Data controllers: An entity that’s responsible for determining the purpose of the personal data processing (although they don’t perform the processing themselves).
- Data processors: An establishment that is processes data on behalf of the data controller. Sometimes, the data collectors recruit agencies to help them to analyze the data they have collected. These agencies are called data processors.
- Small and medium enterprises (SMEs): Enterprises with fewer than 250 employees.
- Data protection authorities (DPAs): These are the public authorities that oversee the application of GDPR regulations. DPA has investigative and corrective powers.
- European data protection supervisor (EDPS): EDPS is the data protection authority for all European Union institutions.
Issuing a GDPR Data Breach Notification: A Look at What You Need to Do
So, what are you supposed to do if you find out that you have a data breach? Well, you’re obliged to take the following steps:
- Notify the European data protection supervisor (EDPS) about the breach. This important step must be completed within 72 hours (of the breach being discovered or reported to you, if discovered by a data processor). This notification should include information about:
- Tthe nature of the data breach,
- Contact information for your enterprise,
- The likely consequences of the breach, and
- Any measures your organization has taken to stop the breach and mitigate its effects.
- Provide a valid reason for a tardy GDPR data breach notification. If you have notified EDPS after more than 72 hours after the breach was discovered, you need to provide a valid reason to explain why you didn’t report it sooner.
- Notify EDPS (using the personal data breach notification form) with timely updates. If you couldn’t provide all of the details about the breach initially, provide EDPS with an update as soon as you have the information available.
- Inform the data controller about the breach immediately. This one applies to data processors. If you’re a data processor that has experienced a breach, you must inform the affected data controller(s) in a timely manner.
- Inform all affected data subjects about the breach. Contact the people whose personal data has been breached about whether there is a risk to their rights or freedoms.
Now you know what to do if you face a data breach. If you fail to comply with the requirements of GDPR, you could be subject to heavy fines. The fines can be as high as €20 million, or 4% of the company’s annual global turnover. (Remember the Amazon fine we mentioned earlier? Yeah, it could be massive like that depending on the size of your organization and the extent of the breach in question.)
As you can imagine, it’ss imperative to fill out the appropriate forms at the appropriate time. Let’s look at the procedure in more detail.
How to Notify the Appropriate Authorities (DPA and EDPS)
To notify the data protection authority about the data breach, you’ll have to determine which DPA you fall under. If your enterprise is in the European Union, then the DPA nearest you will be your supervisory authority. However, if you aren’t based in the European Union but still fall under the purview of GDPR, your DPA will be the one in where the maximum number of your EU customers are based. Here is the list of the DPAs in the European Union for your reference.
To notify the European data protection supervisor, you can fill out the personal data breach notification form on the EDPS website. All the DPAs have the required form on their websites. The following screenshot shows this form:
The EDPS website gives detailed instructions on how to complete the data breach notification form. We won’t get into all of that here.
How to Notify Your Data Subjects
GDPR applies to the companies based anywhere in the world that collect and process data of the EU citizens. Drafting a letter that meets all the regulations of GDPR is sometimes challenging as the laws for European states differ from one to the next. So, when you’re drafting a data breach notification letter to your data subjects, make sure that your letter complies with the laws applicable in your state along with the standard industrial norms. Instead of simply copying the template, you should consider the circumstances regarding the data breach of your enterprise.
Before sending out the notices, you should have them verified by your legal counsel and your public relations officer (PRO), as these notices sometimes end up as part of a legal battle or under the public lens. As mentioned earlier, data subjects should be informed within 72 hours of the breach. If you have not done so, you should give them the reason behind the delay.
Additional Information for U.S. Companies Who Must Report a GDPR Data Breach
GLBA and HIPPA are data privacy laws for the citizens of the United States of America. If your enterprise or its data falls under the purview of the Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA), you should also check the requirements of the respective acts to report your breach with these agencies. The rules governing these acts are different from GDPR and, hence, the template given here might not be sufficient.
The notice is sent to individuals whose data might have been breached. You should not forget that these individuals include your employees, customers, or subscribers who might not be tech savvy. The notice should be written in plain language to avoid confusion. It can be given in the form of email, telephone conversation, or any other means approved in your state. Sometimes, if the number of affected individuals is too high, the state might even approve the use of public media to notify the affected parties.
What Information to Include in a GDPR Data Breach Notification
The notice to your data subjects should include the following information:
- The date of the notice
- The contact details of the enterprise
- Date and timeline of the breach
- Reasons for delay in the notification if applicable
- Description of the data breach
- The categories of personally identifiable information (PII) at risk
- Steps that were taken by the enterprise to mitigate the risk
- Steps that should be taken by affected individuals
- Contact information of the Federal Trade Commission (FTC) and national consumer reporting agencies
GDPR Breach Notification Template: How to Create a Letter to Notify Affected Individuals
Now that we know what a qualifying breach notification is and which organizations need to provide them, it’s time to look at a GDPR data breach notification template more in depth. Note: You can adapt this template to notify your data subjects of a breach. Remember to tailor the message to address your specific situation:
Notice on company letterhead
NOTICE OF DATA BREACH
Date of Notice
Name of the data subject
Address of the data subject
We value all our customers and respect their data privacy. However, we are writing to inform you about a data security incident involving your information associated with your online purchase from our website (your website). We are giving you this notice as a potentially affected individual and recommend some actions to help you protect yourself from identity theft or other fraud.
Data Breach Incident
Describe the incident briefly with the date of the incident and how long the incident continued.
Mention the date on which the incident was discovered. If the notice was delayed, then provide a reason for the same.
Personal Information Involved
The data breach incident might have involved the following personally identifiable information:
- Phone number
However, the following information was not accessed by the actors:
- Credit card number
- Bank account number
Actions We’ve Taken
As ardent supporters of data privacy, we deeply regret this data breach incident. We assure you that we are doing our best to investigate the incident thoroughly. We have employed a well-known cyber security firm (name of the firm) to help us with the task. They will also set up additional security to prevent such incidences in the future.
We have also informed the law enforcement departments and have promised our full cooperation in their investigation.
What Steps You Should Take
To protect yourself from any potential resulting fraud or identity theft issues, we recommend you follow some actions:
List precise actions to be followed by the data subject.
Important Contact Information
For further information or any questions on the incident, you can contact us:
Name of the company representative
Contact information of the company representative
You can also visit government website link giving information about privacy laws
Exploring a Real-World GDPR Notification Example
The popular graphic design platform Canva had a data breach on May 24, 2019. They sent the two following letters to customers to inform them about the breach:
GDPR Data Breach Notification Example #1
This first example illustrates some of the points we talked about earlier in the article. However, this wasn’t the first or only email Canva had released about the incident, according to Dave Hall, a developer and cloud security consultant. Hall also posted a second screenshot on Twitter of the original message that many customers received (below).
GDPR Data Breach Notification Example #2
Simply put, the second example isn’t a good way to approach writing a data breach notification. In this case, Canva buried the information about the breach in the middle of the release.
It’s a good thing that they recommended customers change their account passwords. According to a follow-up statement posted on Canva’s website a few days later, it turns out that 4 million users’ account passwords were decrypted in the security incident.
Final Words on GDPR Breach Notification
GDPR regulations are the EU’s effort to ensure the security of individuals’ private data and to help protect their rights to have control of their personal information. These regulations lay out very specific rules for reporting data breach incidents. We’ve looked at how you can report a data breach to the proper authorities and how to notify the individuals whose data has been breached.
We hope that now you feel more certain of the steps you need to take when drafting a GDPR data breach notification to inform your customers or users of a security incident.