Part II of this guide picks up where we left off last time. We will discuss what happens after the incident response team views the impact on the rights and freedoms of the data subjects. If you want to know more on how to prepare for a data breach and the steps you need to take leading up to this article, read Part I here.

No risk to the data subjects

In some cases, the assessment of the response team may conclude there is no risk to the rights and freedoms of the data subjects. But you still need to document the incident and the decision not to report, with the justifications for it.

Risk to the data subjects

In other cases, the response team may conclude there is a risk to the rights and freedoms of the data subjects. Then it needs to notify the supervisory authority without undue delay. That means within 72 hours of becoming aware of the breach. If the notification is not made within 72 hours, you need to state the reasons for the delay. If it's not possible to provide all information at the same time, you should provide it in phases without delay.

The notification to the supervisory authority needs to include the following information:

  • Nature of the personal data breach (incl. categories, number of data subjects and of breached personal data records concerned)

  • Likely consequences of the data breach

  • Measures proposed and/or taken to address and mitigate the data breach and any possible negative effects

  • Name and contact details of the contact point where more information can be obtained

  • Date and time of the discovery of the data breach


You should get written confirmation from the supervisory authority that they received the breach notification.

High risk to the data subjects

The assessment of the response team may conclude that there is a high risk to the rights and freedoms of the data subjects. If so, you must notify the data subjects without undue delay of becoming aware of the breach. You must also notify the supervisory authority as described above. If you have taken measures to mitigate the high risk to the data subjects and the risk is no longer high, you don't have to notify the data subjects.

You should notify the affected individuals right away, unless doing so would involve a disproportionate effort. In that case, you can make a public communication. Make sure the communication maximizes the chance of reaching the affected individuals. It’s unlikely that for example a blog post is enough. Also, don't bundle the notification with other information such as a newsletter. The notification of the breach should be clear and transparent.

If there is an immediate risk of damage, you should notify the affected individuals as soon as possible. If there is no immediate risk, seek guidance from the supervisory authority before you send out the communication. In some cases, you have to take appropriate measures first to stop or prevent continuing or similar breaches. Write the notification in clear and plain language. Make sure you include the following information:

  • Likely consequences of the personal data breach

  • Measures proposed and/or taken to address and mitigate the personal data breach and its possible negative effects

  • Name and contact details of the contact point where more information can be obtained


Why you should comply

Now that we have discussed how organisations should react in the unfortunate event of a data breach, let's look at why companies should do their best to comply.

The most obvious reason may be because of the drastic fines. The maximum fine for violating the data breach notification obligations under GDPR is 2% of global annual turnover or 10 million Euros (whichever is higher). However, not every data breach leads to a fine. Devices can be lost or stolen, and no system is unhackable. What matters in such situations is that you take the relevant steps. Respect timeframes and show willingness to cooperate with supervisory authorities. Their investigation depends on the seriousness of the breach. It will probably include questions on if all appropriate technical and organisational measures were taken to ensure a level of security appropriate to the risk in accordance with Art. 32 GDPR. Also, it will check your efforts to comply with other obligations under the GDPR. In the course of such investigations, infringements may be revealed that can lead to fines not necessarily related to the breach. The fines can be a maximum of 4% of global annual turnover or 20 million Euros (whichever is higher).

But supervisory authorities don't just hand out hefty fines. If they should find severe violations of data protection obligations, they can restrict the processing of personal data. As this could drive a company out of business, it has an even bigger impact.

Except for these regulatory consequences, an organisation’s reputation may suffer incredible damage. Even if the authorities find that the organisation was not to blame, a data breach will have a negative impact. To limit the damage, you should take preventive measures to earn and maintain the trust of customers, employees and the general public. Be transparent about how you process personal data. To show that the organisation cares and takes measures to keep the data safe can be a business booster. Try to maximise the gains for your efforts when it comes to data protection compliance. As the general public cares more than ever about how their data is being used, it's not an option not to comply.

So, there are good reasons to take data protection and incident management seriously. Not only to avoid negative consequences, but to weigh in the importance of transparency and responsible data handling. With this in mind, make sure you prepare for a data breach. Test procedures and routines to make sure everything goes as smooth as possible. In case of an emergency, everyone in the organisation should know what part to play.