The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Does a Company Need To Notify Impacted Individuals Every Time It Suffers A Data Breach?

Answer: No.

Notification to individuals is required if a personal data breach is likely to result in a “high risk” to the rights and freedoms of natural persons. In such situations, notification must be made without undue delay. It is worth noting that the threshold for notifying individuals is higher than for notifying regulators where notification is required unless te risk to individuals’ rights and freedoms is “unlikely.”

A communication to impacted individuals should be made as soon as reasonably feasible and in close cooperation with a supervisory authority.

Notification is not required, however, if:

(a) the data is encrypted or otherwise unreadable to an unauthorized party;

(b) the controller has immediately taken steps to ensure that the high risk to individuals is no longer likely to materialize, or

(c) notification would take a disproportionate effort where, for example, the contact information is unknown, in which case public notification must be made.