A data breach means the security of personal data has been compromised and it usually leads either to its loss, alteration or unauthorized disclosure. In case of such a breach you will need to notify the relevant supervisory authority if there’s a risk of compromising the rights and freedom of the individuals. For example, you could be dealing with a breach of your clients’ data, a case that leaves the individuals vulnerable to identity theft. How and when to notify a data breach should also be decided on a case basis. The previous example for instance should be announced as soon as possible. However, if the data theft is for example a staff telephone list, the risk for the individuals is lower.
If the data breach presents a risk to the rights and freedom of the individual, you must also notify those directly affected, not just the supervisory authority.Data processors should notify the controllers “without undue delay” after becoming aware of the breach. Data controllers should notify the supervisory authority within 72 hours of becoming aware of the breach. However, you might be saved by the security methods you use. If the data stolen is encrypted for example and therefore impossible to access by those who stole it, the obligation to inform the affected individuals is no longer valid.
When you do notify a breach, there are certain informations you must include. To begin, you need to include the nature of the breach such as the number of individuals affected and the numbers of personal data records affected. You also need to include the contact details of the data protection officer (if your organization has one). Also, you should include a description of the possible consequences of the data breach and a description of the measures that will be taken. Failure to notify a breach in a timely manner will subject you to the standard fines of the GDPR, that is, up to 10 million Euros or 2% of your global turnover.