This is one of ten monthly alerts, counting down to the date when GDPR applies.6 months to go

U.S. companies already face a panoply of data breach notification laws enacted by 48 States and numerous regulators. Those subject to the GDPR may soon have yet another breach notification requirement to worry about.

Follow our chart below to determine if and when you must provide notice, who you must notify, and what your notice should include.

This text leaves open plenty of questions. However, on October 3, 2017, the Article 29 Working Party issued guidelines interpreting these data breach notification requirements. Here are some of the answers:

What is a "personal data breach"?

"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed"

When could a breach be "unlikely to result in a risk to the rights and freedoms of natural person"?

For example, where the data was already publicly available, or where the data was encrypted and remains accessible to the controller (or adequately backedup); however, each personal data breach will need to be assessed on its facts

What is the difference between "risk" and "high risk" to persons' rights and freedoms?

"High risk" would exist where "the breach may lead to physical, material or nonmaterial damage for the individuals whose data have been breached," such as "discrimination, identity theft or fraud, financial loss and damage to reputation"

When does the controller become "aware" of the breach?

"When that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised," depending on the circumstances, this may allow for "a short period of investigation in order to establish whether or not a breach has in fact occurred"

What is "without undue delay"?

"As soon as possible" (or immediately, in the case of a processor giving notice to a controller)

Who is the "competent" supervisory authority" when a personal data breach affects individuals in more than one EU Member State?

The "lead supervisory authority," i.e., "the supervisory authority of the main establishment or of the single establishment of the controller or processor"

This article was co-authored by Peter Given, Legal Director at Womble Bond Dickinson (UK) LLP