On 19 March 2018, Insurance Europe announced that it has developed a template that could help companies meet the obligation under the General Data Protection Regulation (GDPR) to notify their competent supervisory authority about personal data breaches. Further details are given on this webpage.

The GDPR will come into effect on 25 May 2018, and will oblige companies processing personal data to comply with new and more stringent data protection rules. One obligation will be for companies to notify (personal) data breaches to the competent supervisory authority.

Companies will have to submit the relevant information without undue delay and, where feasible, no later than 72 hours after having become aware of the breach. Such information includes the nature of the breach, categories and approximate number of data subjects and of personal data records concerned, likely consequences and measures taken to address and mitigate the breach.

Insurance Europe says that the suggested template could be of particular interest to small and medium-sized enterprises (SMEs) and supervisory authorities. SMEs could rely on it instead of undertaking a descriptive exercise in the midst of a data breach, for which they may not have the resources. Supervisory authorities could benefit from a standardised format allowing them to share incidents data across borders, to better detect trends and to gain insights into combatting cyber threats across Europe.

The template is set up in such a way that the information gathered can be shared without the need to be anonymised or aggregated, as it will not be possible to identify a company through the information it submitted.

The template has three sections:

  • section 1: personal details and information on the affected company (not to be shared with third parties);
  • section 2: details on the data breach incident as per the indications in Article 33 of the GDPR, to be sent to the national supervisory authority, where feasible, no later than 72 hours after having become aware of the breach;
  • section 3: to be completed following the 72 hour period, when more information is available on the data breach, which includes complementary data sets to gain more in-depth knowledge of the nature of the breach.

An explanatory document on the template has also been published.