When the General Data Protection Regulation becomes law, on 25 May 2018, businesses and organisations will face new rules regarding the reporting of a data breach.
Reporting a data breach to the Data Protection Authority (DPA)
GDPR stipulates that when a business or organisation should report a date breach to the relevant DPA within 72 hours of becoming aware of the breach. In the case of especially complex breaches, where more investigations are required, it is possible for a business or organisation to make an initial report within the 72 hours and follow this up with more detailed information as soon as possible.
Reporting a data breach to data subjects
Data breaches also need to be reported to data subjects when there is a high risk to the security of their personal data. This notification must be made without undue delay. When deciding on the level of risk posed by the breach a business or organisation needs to look at considerations such as the amount or personal data involved, and whether this personal data is already in the public domain.
When notifying the DPA, and data subjects, about a data breach the business or organisation needs to include information should as contact details for the data protection officer (DPO), what happened during the breach, what amount of personal data was affected and what actions they are taking to deal with the problem. In communications with data subjects, the business or organisation should also explain what action is required by the data subjects, if any.
Failure to comply with GDPR data breach notification requirements can have serious consequences. The maximum potential fine is 10 million euros or 2% of annual turnover. This fine can be imposed in addition to the maximum fine for non-compliance with GDPR which is 20 million euros or 4% of annual turnover.