A committee of the EU’s Council of Ministers met recently to discuss the new EU General Data Protection Regulation. Provisional agreement was reached on the wording of the data breach notification provisions. It was agreed that a data controller should be obliged to notify a personal data breach which may result in “physical, material or moral damage” to supervisory authorities within 72 hours of becoming   aware of it.  Individuals whose “rights and freedoms could be severely affected by the breach” should also be informed “without undue delay”. Other provisions in the Regulation have yet to be agreed.

Council of the European Union – Note – October 2014