Have you considered what to do in case a data breach occurs? GDPR compliance requires data breach notification procedures for businesses that process and monitor personal EU citizen data.
In this article, we’ll explore GDPR data breach notification compliance requirements, including timelines, best practices, and internal and external reporting requirements.
Let’s dive right in.
General Data Protection Regulation Overview
General Data Protection Regulation Overview.png
The GDPR is a set of regulations passed by the EU to protect EU citizens’ data.
It is the most comprehensive data protection law in the world currently and has seven principles:
Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
This sixth one, integrity and confidentiality, is of vital importance for our discussion here as it deals with processing data securely and protecting it from unlawful and unauthorized processing, accidental loss, damage, or destruction.
If a data breach occurs and you have failed the 6th principle of GDPR, your company may face one of two potential types of fines:
€10 million or 2% of annual revenue (whichever is higher) for less severe infractions
€20 million or 4% of annual revenue (whichever is higher) for more severe infractions
GDPR Data Breach Notification Requirements
GDPR Data Breach Notification Requirements.png
The GDPR data breach notification is a message sent by your business to customers whose data may have been compromised in the incident.
It serves to achieve the following:
Inform users of the breach
Communicate the steps you will take to address it
Advise the users on the steps they should take to reduce the risk to their data
Show accountability by providing timely and accurate information about the breach
What Constitutes a Data Breach Under GDPR?
The GDPR very clearly defines a “data breach” in Article 4 of the GDPR as:
“Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
The European Commission has a similar definition of a data breach, which says:
“A data breach occurs when the data for which your company/organization is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity.”
GDPR Data Breach Notification Timeline
Under Article 33 of the GDPR, organizations must notify relevant authorities within a maximum period of 72 hours after becoming aware of any data breach that might occur.
Elements of GDPR Data Breach Notification
The same article also specifies in Act 3 the required elements of a personal data breach notification, or how it should look like.
These requirements are:
The notification should describe the nature of a data breach, including, if possible, categories and numbers (approximate) of both affected data subjects and personal data
The notification should provide the name and contact information of the data protection officer (DPO) or another contact in the company, like a chief privacy officer (CPO)
It should also describe the possible effects of a data breach and,
The notification should outline the measures your business will take or propose to address the data breach
Data Breach Response and Mitigation
Data Breach Response and Mitigation.png
Although reporting the data breach timely and truthfully is essential for transparency and trust, more is needed to solve the problem.
You also have to take appropriate actions to respond and remedy the breach.
Here are the additional steps you must take to address the breach:
Inform the DPO of your organization: The moment you identify the data breach, you should inform the data protection officer of your organization, who will then take charge of the issue
Determine the scope and potential impact of the incident: Namely, you should identify what data has been breached and which users’ or data subjects’ personal or financial data might be compromised
Notify the affected data subjects and the authorities of the breach
Take measures to contain and minimize: Further unauthorized access to the sensitive data of your consumers
Review your existing security measures: Ensure you have the appropriate security measures in place as that may help you and update security measures if necessary, and continue monitoring the situation
Tony Foley, a consultant at Wolters Kluwer Legal & Regulatory U.S. says:
“Internally, businesses should have an incident response team in place to immediately put its response plan in place the moment a data breach is discovered. Externally, the GDPR requires controllers to notify the national supervisory authority of a breach without undue delay and within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
The GDPR’s Article 33 clearly states the timetable in which a business should report a data breach.
Again, you have 72 hours to report this to the relevant authorities.
Although the regulation doesn’t say anything about internal reporting, it’s clear that the timetable here is even narrower.
Once you identify the data breach, report it immediately to the DPO or person responsible for data protection in your organization so they can take appropriate action, including crafting a GDPR data breach notification and conducting a plan of action.
You also need to report the data breach to the relevant supervisory authorities.
Article 51 GDPR (Supervisory Authority) states that:
“Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.”
Here’s the list of data protection authorities (DPA) for each Member State.
Need assistance in GDPR data breach notification? Contact us today for a free consultation so we can get you on the path of compliance.
Communicating with Affected Individuals
Communicating the data breach incident with the affected individuals certainly won’t be easy. Your customers won’t be happy to hear this at all.
However, not communicating a data breach is much worse. This way, you risk alienating your customers and incurring legal penalties.
Tony Foley says:
“The GDPR requires data controllers subject to a breach to notify data subjects without undue delay of the nature of the breach, the likely consequences, and the measures being taken to address it, as well as the name and contact information of the DPO or other contact person. Specific modes of communication are not specified, but generally would include contact by e-mail, regular mail, phone, or “substitute notice” in mass media, as appropriate.”
Now, here’s how to craft the actual message for the data breach notification:
Crafting Effective Data Breach Notifications
Article 34 of GDPR (Communication of a Personal Data Breach to the Data Subject) provides clear guidelines for how you should communicate the incident:
“The communication to the data subject… shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in… Article 33.”
Here’s what an effective GDPR data breach notification looks like:
Personal Data Breach Notification
Dear [Customer Name]
We regret to inform you that on [Date of Breach] we have suffered a personal data breach, which affected a portion of our user base. We are writing to provide you with the necessary information regarding this incident and the measures we will undertake to address the situation.
Nature of Data Breach
On [Date of Breach] our IT security team detected unauthorized access to our customer database. The resulting data breach affected the following user information:
Full names
Email addresses
Billing addresses
Phone numbers
At this stage, we have not detected any breach regarding user passwords or financial data such as credit card numbers or bank account details as this information is protected by strict security measures, including end-to-end encryption and cryptography.
Possible Effects of a Data Breach
Although the incident did not compromise any financial data, we are fully aware of the potential impact it may have on our users. This information can be used for malicious activities, including targeted phishing campaigns. We advise extra caution with any unsolicited communication, especially if it involves sensitive data.
Measures to Address the Data Breach
We will take several steps to address the data breach and prevent another incident of its kind, including:
Perform a detailed analysis of the breach to determine its extent and identify potential security vulnerabilities
Review our internal security policies and how they align with GDPR and other relevant data protection and privacy laws
Update and reinforce our data security infrastructure to minimize the risk of future data breaches
Provide additional data protection and security awareness training and education to our employees
We also recommend that you take the following measures to protect your sensitive data:
Closely monitor your financial accounts for any suspicious and unusual activity
Avoid sharing personal and financial information when you are not sure if the request is legitimate
Do not open or click on unsolicited emails, links, and attachments (they might contain malware)
Change passwords to any accounts that might be affected in the data breach, and change any passwords that you are using on multiple accounts.
We sincerely apologize for any problems this data breach incident may have caused you.
Keeping your trust is of absolute importance to us and we are working tirelessly to prevent a similar incident in the future.
If you need more information, please don’t hesitate to contact our DPO via [DPO email] or [DPO phone]
Thank you for your cooperation and patience.
Yours sincerely,
[Your Name]
[Your Title]
[Company Name]
Offering Support and Assistance
The GDPR data breach notification isn’t just about informing your consumers of the incident. It should also explain what actions they need to take to protect their compromised data.
Continue to offer support and assistance to your data subjects through training, education, and other resources.
Record-Keeping and Documentation
Article 33 (5) states:
“The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken.”
This closely relates to the 7th GDPR principle – accountabilityor:
“The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1” (Article 5).
The exact method for recording and documenting a data breach is left to the business in question, although they are encouraged to establish an internal register of breaches, regardless of whether they are required to notify or not.” (EDPB Guidelines).
The EDPB also states that the controller should record details of the breach, including:
Causes
What happened
Personal data affected
Additionally, you should document the actions you will take following the breach and the reasoning behind them.
Ultimately, how this documentation will look is left somewhat open and in the hands of your business. It’ll just need to demonstrate your accountability.
Assessing and Enhancing Data Breach Response
By assessing your data breach response, you can better identify weak areas where you’ll need improvement in the future.
Here are some steps you can take to enhance your data breach responses:
Measure your response time from the detection to the response initiation. This will help you identify any bottlenecks
Audit the plan for clarity in every stage, if it was followed as intended, and identify gaps
Look for feedback from the affected consumers, shareholders, and relevant authorities to analyze the effectiveness of your communication
Assess your regulatory compliance to verify that you followed the correct processes and actions
Appraise your containment measures. How long did it take you to identify which systems and data were affected or to disable compromised accounts?
Determine the root causes of the breach. Identify weak points of your system and areas for improvement
Get another pair of eyes on it. Have an independent 3rd-party evaluate your response plan and measures to offer recommendations on where and how you can improve
GDPR Data Breach Notification Best Practices
When creating a GDPR data breach notification, ensure that it helps our consumers understand the nature and the potential effect of the breach on their personal or financial data.
Here are some best practices that will help you do that:
Evaluate the scope and impact of the breach, such as the type of data compromised and which data subjects were affected
Create a data breach notification template that will rely on GDPR guidelines (Articles 5, 33, and 34 mentioned here already). Feel free to reference the template above, but customize as necessary.
Include all the necessary information, such as the description of the incident, what types of data are affected, potential impact, actions your business will take, actions you recommend consumers take, and contact information for your DPO
Make sure that you cover all the GDPR legal requirements
Provide additional resources like FAQs or material that can help data subjects better understand the problem
Document the response, including the dates, who you notified, and the contents of the notification for GDPR compliance
Personalize the notification wherever possible. For instance, instead of “Dear user,” start with “Dear Mr. Smith.” It will significantly increase their feeling of being important
Choose the proper delivery method. Usually, this will be email, but you can use text messaging, even postal mail if you wish, or a combination, depending on the number of affected individuals and the urgency of the response
Make sure that the notification is in clear language without jargon that consumers will easily understand
Real-Life GDPR Data Breach Notification Examples
Here are some real-life examples of GDPR data breach notifications that should inspire you to create your own if you ever needed for it:
British Airways
The British Airways cyberattack occurred in 2018 and affected between 380,000 and 500,000 customers, compromising their credit card details. Here is the data breach notification.
Why is it good?
The BA notification communicates what happened and shows the company’s accountability and commitment to addressing the incident. It also offers a good recommendation of what the customers should do next.
It’s also short and very clear.
One negative is that a link to a dedicated page would be more useful here than the homepage. Contact info for the DPO would work better.
Also, a heading of some kind would further improve it.
Superdrug
Also in 2018, the second largest health and beauty retailer in the UK, Superdrug, also experienced a data breach incident and sent out this security notice to its customers.
Why is it good?
First of all, Superdrug starts with the customer’s name (“Hi Rinhongii”) and not the generic “Hi customer.” So it gets points for building loyalty.
Next, Superdrug bolded some crucial elements which help the reader more easily find the relevant information ( “but not including your payment card information”).
Finally, all other elements of a data breach notification are there.
Of course, there are some areas where it could improve.
First, it’s a bit long and could use cutting in some places and better formatting. The second paragraph, in particular.
Also, although they provided the phone and email for customer service, it would be better to use the contact information of a DPO.
FAQs
Does GDPR Require Notification of Data Breach?
Yes, GDPR requires sending a notification of a data breach up to 72 hours after you become aware of it to the supervisory authority and affected data subjects.
Learn more about the benefits of outsourcing a Data Protection Officer.
When Must a Data Breach be Reported Within?
You should report a data breach within 72 hours of first identifying it, according to Article 33 GDPR.
Learn how a DPO as a Service (DPOaaS) can help your business stay compliant.
How Soon Must a GDPR Breach be Reported?
A GDPR breach must be reported no later than 72 hours after it is identified according to Article 33 of GDPR: Notification of a personal data breach to the supervisory authority.
Learn more about the GDPR compliance requirements here.
What are the Guidelines for Personal Data Breach Notification Under GDPR?
The guidelines for personal data breach notification under GDPR are outlined in Article 34: Communication of a personal data breach to the data subject.
Learn how to create a data privacy crisis management action plan in this article.
Who Do I Notify for Data Breach?
You should notify the data protection officer (DPO) of your organization, the relevant supervisory authority of your country, and any affected data subjects.
What are the data protection officer costs? Learn about them in this article.
How Can Captain Compliance Help You?
The average global cost of a data breach in 2022 was $4.35 million, according to IBM’s Cost of a Data Breach 2022 report.
This, however, only takes into account the business disruption costs and not the loss of consumer trust or the legal fines and penalties.
By creating an effective GDPR data breach notification, you ensure compliance but also show commitment to protecting your customers’ sensitive data and empower them to do the same.