GDPR Notification Requirements

Currently there is no general responsibility for companies who process data of EU citizens to report a data breach to data subjects, although some companies do send notifications as a matter of course. Once the General Data Protection Regulation (GDPR) comes into force, on 25 May 2018, there will be a requirement to notify data subjects of a data security breach, in certain circumstances.

The other major change to data breach notification requirements is that breaches must now be reported to the Data Protection Authority (DPA), within 72 hours of the breach becoming apparent, wherever possible. If a breach is not reported within 72 hours, the notification must be accompanied by reasons for the delay.

One point that is important for companies to know is that the clock does not start ticking on the 72 hours until the data controller can reasonably be considered to be aware of the data breach. This means that companies have a limited amount of time to investigate data breaches, and determine whether a breach has actually occurred, before they start taking action to report the breach. It is important to note that breaches only have to be reported if they represent a risk to the rights and freedoms of data subjects.

In the case of notifications to data subjects, there is no stipulated time frame, except that the notifications must be made ‘without undue delay’. Companies also need to be aware that these notifications only need to be made if there is a high risk to the rights and freedoms of data subjects. When considering the level of risk, companies should think about aspects such as the amount of data subjects that are affected and how easy it is to identify individuals from the data that is the subject of the breach.

The notifications to data subjects should include information about actions that the data controller is taking to alleviate the issue caused by the data breach. They should also provide information about what actions the data subjects need to take, to protect them. If the risk to the data subjects’ rights and freedoms is urgent companies should consider providing this information by the quickest methods, such as by email, text or a notification on the company’s website.