GDPR’s data breach notification requirements will be significantly different from the existing ones. The regulation tends to move away from the current general notifications and introduces a new practice that embraces policies and procedures. Under this law, businesses will have to report any data breach that if left unaddressed may lead to a substantial damaging impact on a person such as causing financial loss, reputation damage, loss of confidentiality, discrimination or any other significant social or economic detriment.
GDPR recognizes data controllers and processors and each of them will have different reporting obligations. Data Controllers are those businesses that have regulatory authorities over data processing. They have a responsibility to make a governmental notification. Once they become aware of a data breach, the new regulation mandates them to notify the supervising authority without unjustifiable delay. GDPR sets the upper limit for notification when it becomes undoubtedly clear that a breach has occurred to be 72 hours. In this case, breach notifications will not be made after 72 hours from the time of occurrence. In the event that a controller fails to comply with this requirement, they will have to explain their delay.
Processors are types of businesses that receive instructions from the controllers to process data for them. They are not subject to the 72 hours requirement. Their primary obligation concerning notification is to inform the data controller about data breach when it becomes clear to them that it has occurred without delays. This implies that data processors have fewer obligations compared to controllers.
Both data controllers and processors will not be expected to make a notification if the breach is unlikely to risk the rights and freedoms of individuals. However, companies are obliged to maintain a record of all breaches that occurred, how and why such breaches happened in their organization.
Notification Documentation Requirement
GDPR delineates elements that must be included in the government notifications prepared by the controllers. The data controllers must provide a description of the data breach. In this description, they must indicate the types of data affected, the amount of data involved in the breach and the number of people affected. The controllers must provide the contact information of the organizations DPO or of the person acting in that capacity who can be reached for information about the breach by the data subjects. They will also have to describe the repercussions of the breach. The law also requires them to provide a record of the security measures they have developed to safeguard individuals’ personal data and prevent adverse effects from the breach.
Data controllers will be required to notify every affected data subject separately. This will be mandatory if the breach risks their rights and freedom. Again, the controllers are expected to do that immediately. In this notification, the data controllers will have to include a description of the breach.