If you think your organization has experienced a data breach that falls under the General Data Protection Regulation, there may be certain responsibilities you have to carry out. Here’s what to know about when and how to report a GDPR data breach
Most organizations can’t afford to take GDPR data breaches lightly — and for a good reason! You’ve likely seen the headlines about how big corporations like Google, British Airways, and Marriott encountered the GDPR beast and haven’t gotten away unscathed, attracting huge fines due to GDPR data breaches. And while a breach itself is a big issue, if you delay and don’t report it promptly, the situation gets significantly worse. This is why you must be aware of the GDPR breach reporting requirements.
In this article, we’ll go over the specifics of GDPR data breach reporting. This includes when, how, and to whom you should report a GDPR breach and how to inform breach victims about their compromised data. But first, let’s briefly cover what qualifies as a GDPR data breach.
What Is a GDPR Data Breach?
The General Data Protection Regulation (GDPR) is a sweeping set of data security and privacy protection requirements that protect individuals who are in the European Union (EU) and European Economic Area (EEA). Although we’ve already covered what constitutes a GDPR data breach in detail in another article, we’ll quickly recap it here for you.
A GDPR data breach occurs when the personal data of a natural person (i.e., a “data subject”) becomes compromised accidentally or intentionally. Unlawful data compromise can result from various issues, including security breaches, processing or transmission issues, or other technical issues. To qualify as a personal data breach, the data must be:
- Destroyed or lost,
- Disclosed (to or by one or more unauthorized individuals),
- Used or accessed by one or more unauthorized individuals, or
- Improperly transmitted, stored, or processed.
A qualifying GDPR data breach can occur regardless of whether data is:
- At rest (such as when it’s stored on a server),
- In transit (transmitting between devices or endpoints), or
- In process.
How to Determine Whether Your Data Breach Requires GDPR Breach Reporting
With all of this in mind, how do you know whether your organization’s data breach falls under the scope of a GDPR-qualifying event that you have to report? Here are a few key considerations to keep in mind regarding GDPR data breaches.
Intent Doesn’t Matter
No, intent isn’t a factor in determining what counts as a GDPR data breach (although it can count as a factor in terms of fines and penalties — more on that later). Regardless of whether the breach resulted from an intentional cyber attack or an employee’s careless mistake or negligence, if protected individuals’ data are compromised, it qualifies as a GDPR data breach.
What Counts as a Data Breach Under GDPR
If the compromised personal data can directly or indirectly identify a “natural person” (as specified in article 4) or poses a risk to their “rights and freedoms,” then it falls under GDPR protection. This means that you’d need to report it to the proper authorities and, in some cases, to the data subjects themselves.
Data subjects the regulation covers include everyone physically located within the borders of EEA, regardless of their citizenship and residency status. This means that virtually everyone — residents, travelers, immigrants and refugees alike — are covered under GDPR (with some exemptions).
Organizations That Must Report Personal Data Breaches
Not sure whether GDPR applies to you? The regulation and GDPR breach reporting requirements apply to all organizations that engage in “professional or commercial” activities involving use of data subjects’ personal information, regardless of where the organization is located. This includes companies that collect or process data on behalf of other companies or organizations.
GDPR also applies to companies that don’t collect the Europeans’ data directly but receive the data from other companies to store, process or utilize. Some examples of such companies include:
- Data analytics companies,
- Outsourced customer care units, and
- Cloud storage platforms.
Now that you have a better idea of what qualifies as a GDPR personal data breach and when you must report one, let’s break down the GDPR breach reporting process.
GDPR Breach Reporting: When (and to Whom) Do You Report a Breach?
Whenever the data controller (the person/organization who has collected the personal data) becomes aware of a GDPR data breach, article 24 specifies that they should notify their GDPR supervisory authority “without undue delay.” (We’ll speak more to who supervisory authorities are in a moment.) In the same way, if the data processor finds out about a personal data breach, they’re responsible for notifying the controller without any unnecessary delays as well.
Controllers Must Report GDPR Breaches Within 72 Hours
GDPR article 33 states that the maximum time limit for GDPR breach reporting by controllers is 72 hours. This means that within three days of becoming aware of the breach, the controller must notify the supervisory authority.
- If the controller takes more than 72 hours to report the breach, they must provide a justifiable reason.
- If the processor becomes aware of a data breach, they must notify the controller of the matter “without undue delay” (although GDPR mentions no specific time constraints for processors).
- If it’s not possible to collect and report all of the breach details at a single time, the controller must keep providing details “in phases without further undue delay.”
Okay, so when things are going wrong and you have to engage in GDPR breach reporting, where do you turn? You will report the breach to your designated GDPR supervisory authority, or what’s known as an SA. Article 51 identifies supervisory authorities as “independent public authorities” that are responsible for monitoring and enforcing GDPR applications and provisions.
Each member state has at least one SA, which serves as the first point of contact for controllers and data subjects within that territory. Both entities report to their member state’s SA to lodge GDPR data breach complaints or file reports.
Not sure who your supervisory authority is? Here’s a list of SAs for each EU member state.
What Information Do You Have to Report?
Let’s say you, as a controller, realize that a GDPR data breach has occurred within your organization. What exactly are you supposed to report to the supervisory authority? Article 33 specifies that your GDPR breach reporting document should contain the following details:
- An approximate number of affect data subjects. This refers to the number of people whose data is exposed or otherwise affected.
- The number of affected data records and their categories. If the exact number of records are not available at the time of reporting, an approximate number should be included. The data category refers to the types of sensitive data that were exposed (such as state ID numbers, phone numbers, email addresses, etc.).
- Name and contact details of the controller’s or processor’s data protection officer. The SA works directly with the organization’s data protection officer, who serves as their point of contact to obtain information about the breach. Article 37 identifies a data protection officer as someone who represents the controllers or processors either as an employee or a contractor and has strong knowledge of data protection practices and laws.
- The scope of risk. How is the data breach anticipated to affect the rights and freedoms of the victims?
- What measures you’ve taken to mitigate further damages. Here, you can share what you’ve done to stop the breach and mitigate the effects that result from it. You can also share what proposed plans you have to mitigate future GDPR data breach risks.
All these details are essential GDPR breach reporting requirements. Here’s an example of a GDPR reporting template from the United Kingdom’s Information Commissioner’s Office. You can also report a GDPR personal data breach on the European Data Protection Supervisor’s website using their online form.
You Don’t Have to Report All Breaches to a GDPR Supervisory Authority (SA)
GDPR breach reporting conditions are applicable only when an incident meets certain thresholds. If an event or incident occurs that isn’t likely to threaten or otherwise affect those individuals, then an organization may not have to report it to the GDPR supervisory authority.
Let’s consider the following example. Say one of your employees accidentally sends an email containing your customers’ personal information to another employee who isn’t authorized to access that data. The sender immediately realizes his mistake and notifies the recipient, who immediately follows procedure and deletes the email from the inbox and trash folder.
Because it’s unlikely to cause any threats to the rights and freedoms of the clients, a controller may not have to report this GDPR data breach to the SA. Likewise, they may not have to report it to the data subjects, either (i.e., the people whose personal data was shared).
(Note: Again, this isn’t legal advice. To figure out whether a data breach falls under GDPR breach reporting requirements, speak with an attorney.)
Notifying Data Subjects of a Personal Data Breach
Victims, also known as data subjects, mean the people whose personal data are compromised by the breach. They have the right to know what data is compromised and how the breach will affect their privacy so that they can take necessary precautionary steps.
Article 34 outlines when you are and aren’t required to report a breach to data subjects.
When You Should Notify Data Subjects
Much like reporting a qualifying event to the supervisory authority, a controller also must inform affected data subjects about personal data breaches “without undue delay.” There isn’t any exact time frame stipulated in the law, though.
The controller should communicate the data breach under the supervision of the SA. They should also follow the GDPR breach reporting guidelines provided by the SA and law enforcement authorities. In these notifications, the controller should communicate specific types of information:
- the nature, circumstances, and the gravity of the breach,
- probable consequences,
- technical and organizational measure taken by the controller (of proposed measures) to curb the damages, and
- recommendations for the natural person to mitigate potential adverse effects.
If the controller fails to notify data subjects, the SA can directly communicate such a breach to the victims.
When You Aren’t Required to Inform Data Subjects
As we touched on earlier, organizations aren’t always required to inform individuals about personal data breaches. There are three scenarios in which your organization isn’t required to communicate to the affected individuals that a GDPR breach has occurred:
- If the controller has taken appropriate technical steps to make the data inaccessible to unauthorized individuals. For example:
- the breached data is in an encrypted format, which is unlikely to get decrypted without the private key, or
- if the device is lost, but it is already protected with biometrics which the unauthorized person can’t break, or
- the data is destructed by negligence, but the technical department has a backup for it.
These are just hypothetical scenarios. In short, the controller doesn’t need to notify the data subject if the breach is unlikely to cause any unauthorized access. If the controller has taken sufficient technological and organizational measures, they can prevent unauthorized access.
- The scope of breach doesn’t affect the data subjects’ freedoms and rights. If the data breach is unlikely to affect the data subjects’ fundamental rights, freedom, and security, the controller doesn’t need to inform data subjects about the breach.
- If informing data subjects involves “disproportionate effort.” A controller can use public communications to inform affected data subjects if reaching out to those individuals requires excessive effort. (However, you’ll have to be able to justify why informing them is disproportionate.)
Data Subjects’ Rights When a Breach Has Taken Place
All personal data breach victims have a right to register complaints with an SA if they think their rights to data privacy are infringed. Article 77 states that the SA must inform the complainants of the progress and results of their complaints, including any possible judicial remedies (as outlined in article 78).
Furthermore, article 82 states that they may have a right to compensation from the controller or processor for material or non-material damages.
GDPR Violation Fines & Penalties
Violations of GDPR provisions can result in administrative fines. Article 83 states these fines may be “up to 10,000,000 EUR (total), or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher” for specific infringements. In some cases, non-compliance may be subject to fines as high as 20,000,000 EUR or “up to 4% total worldwide annual turnover” in the event of an undertaking.
To decide the fine a controller or processor may face, many factors are taken into consideration, including:
- Scope or gravity of the incident,
- Negligence or intent regarding the infringement,
- Number and types of data compromised,
- What measures the controller to prevent the breach, and
- Whether the organization has other GDPR infringements.
Another important factor among them is following GDPR reporting guidelines. Suppose the controller reports a personal data breach to the SA and data subjects on time, and the reports are formatted to meet the requirements of article 33, recital 85 and recital 88. Then the penalty may be reduced. However, simply reporting the breach (i.e., adhering to that single GDPR reporting requirement) won’t allow you to escape all fines or penalties. After all, this is only one of the deciding factors of your data breach fines.
Final Words on GDPR Breach Reporting Requirements
If your organization is collecting or processing Europeans’ personal data, you must be aware of everything related to the GDPR data breach, reporting requirements, and infringement penalties. So, make sure you are taking all necessary technical and organizational steps to protect the users’ data and prevent the GDPR data breach.