What is a Personal Data Breach?
A “‘personal data breach’ is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. GDPR, Article 4(12), GDPR.
All breaches should be documented (not only those reported). Facts, its effects and remedial action taken. GDPR, Article 33(5)
When a controller becomes aware of a breach, the controller must notify the regulator without undue delay and, where feasible, not later than 72 hours after having become aware of it. If not with 72 hours, then must include reasons for delay.
Notice need not be made if the breach is unlikely to result in risk to rights and freedoms of natural persons. Note that “high” risk is not needed, only risk. “Rights and freedoms” is broad, so the risk bar is low.
Processors must notify controllers without undue delay after become aware.
Notification to Regulator should include:
- Nature of breach, including categories and number of data subjects and records
- Name and contact details of the DPO or point of contact
- Description of consequences
- Description of measures taken or proposed to address breach, including any mitigation
Controller Data Breach Work Sheet
[] Is there a “personal data breach” under GDPR, Article 4(12)?
[] Is there a risk to the rights and freedoms of natural persons?
[] Controller become away of breach: Date _____, Time _____
[] Can notification be made in 72 hours? If not, what is the reason for delay?
[] Can notification information be provided all at once, or in phases?
[] Document the breach, including facts and remedial action.