The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Does A Company Need To Notify Regulators Every Time It Suffers A Data Breach?

Answer: No.

A company is required to notify a supervisory authority in the event of a personal data breach without undue delay and, where feasible, not later than 72 hours after being aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

A company becomes aware of a breach when it has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. This directive takes into consideration that the company may need to undergo a short period of investigation once it first detects a possible breach to determine with a reasonable degree of certainty whether a breach has taken place. After initial notification occurs, the company may then conduct a more detailed investigation. As additional information is learned, a company may provide it to regulators in phases. If notification is not made within 72 hours, the company should include the reasons for the notification delay when it does reach out to a regulator.