So, your company has been hit by a data breach. The incident response team has viewed the impact on the rights and freedoms of the data subjects. Perhaps they concluded there is no risk of impact on them. Even so, they still need to document the incident and the decision not to report, with the justifications for it.
In other cases, the response team may conclude there actually is a risk to the rights and freedoms of the data subjects. It then needs to notify the supervisory authority without undue delay – that means within 72 hours of becoming aware of the breach. If you do not notify the authorities within 72 hours, you need to state the reasons for the delay. If it’s not possible to provide all information at the same time, you should provide it in phases without delay.
Reporting a data protection breach
The notification to the supervisory authority needs to include the following information:
- Nature of the personal data breach (incl. categories, number of data subjects and of breached personal data records concerned)
- Likely consequences of the data breach
- Measures proposed and/or taken to address and mitigate the data breach and any possible negative effects
- Name and contact details of the contact point where more information can be obtained
- Date and time of the discovery of the data breach
You should get written confirmation from the supervisory authority that they received the breach notification.
In the next part of this article series, you will find out what to do when there is a high risk to the data subjects.