In August 2019 the Data Protection Commission (“DPC”) issued a succinct and helpful Guidance Note on GDPR Breach Notifications.
Whether you are a data controller or data processor, you are obliged under the General Data Protection Regulation (“GDPR”) to take certain action once a data breach occurs. For data processors, they must notify their data controller of any personal data breach without undue delay. For data controllers, they must, within 72 hours of becoming aware of the breach:
- Notify any personal data breach to the DPC, unless it is unlikely to result in a risk to the data subjects; and
- Communicate that breach to data subjects, where the breach is likely to result in a high risk to data subjects.
How to know if there has been a breach?
A personal data breach is a security incident. This occurs where personal data is lost, destroyed, corrupted or illegitimately disclosed. A breach may be accidental, and as simple as sending an email to the wrong recipient. A breach may be deliberate, such as a planned phishing attack to gain client data.
What to do after a breach?
In addition to the strict notification requirements, keeping a record of all data breaches, the assessment of it, its effects, and the steps taken in response is required under the GDPR. It is recommended by the DPC that data controllers have internal breach procedures in place for recording when and how they were made aware of the breach, together with details on how they assessed the risk posed by the breach itself.
How to notify the DPC?
A notification to the DPC can be done through the breach notification form on the DPC's website. It must contain:
- The nature of the personal data breach;
- Name and contact details of the relevant data protection officer;
- A description of the likely consequences of the breach; and
- The measures taken or proposed to be taken by the controller to address the breach.
If the DPC is not notified within 72 hours, the controller must provide a sufficient reason justifying the delay.
When to communicate a breach to data subjects?
If there is a high risk to data subjects, the controller should notify them of the personal data breach in clear and plain language. This should be done without undue delay. Where the controller has implemented appropriate protection measures to the personal data affected by the breach such as encryption, they may not be required to notify the data subject. A controller is ultimately free to decide if they want to communicate a breach, where there is not a high risk involved, but from a relationship building viewpoint, it may be appropriate to communicate in certain situations.