Understanding the GDPR breach notification timeline: A step-by-step guide

arrows in lights indicating direction or timeline

In the event of a data breach, the GDPR breach notification timeline is straightforward: you must notify the relevant authorities within 72 hours. 

This blog post outlines the critical steps you need to take to comply with GDPR requirements, ensuring you avoid the potential fines associated with delayed reporting.

Key takeaways

  • The GDPR defines a personal data breach as not only unauthorized access to data but also accidental or unlawful destruction, loss, alteration, or disclosure, prioritizing incidents that significantly risk affected individuals over other breaches.
  • Organizations must notify the relevant authority of a personal data breach within 72 hours, with failure to do so potentially incurring fines up to €10 million or 2% of global annual revenue; however, exceptions apply when encrypted data is breached or if there’s no risk to individuals.
  • A comprehensive data breach response plan under GDPR must outline roles and responsibilities, be reviewed and updated regularly, and include steps for responding to and documenting breaches to maintain effectiveness and comply with GDPR.

How is a “breach” defined according to GDPR?

GDPR has set a clear definition for a “breach” – it includes: 

  • Unauthorized access to personal data
  • Accidental or unlawful destruction
  • Loss, alteration, or disclosure of personal data records. 

Instances of personal data breaches can include everything from the accidental loss of a company laptop containing personal data to a full-scale cyber attack resulting in unauthorized access to customer databases.

The GDPR’s specific definition of a personal data breach aims to avoid overwhelming regulators with irrelevant breach reports. By focusing on personal data breaches, organizations can concentrate on reporting incidents that pose a significant risk to the data subjects concerned. Therefore, breaches unrelated to personal data, despite their severity, are not required to be reported under GDPR.

The 72-hour rule: Key aspects of GDPR breach notification timeline

A key aspect of GDPR’s breach guidelines is the 72-hour rule. GDPR mandates that organizations must notify relevant authorities of a personal data breach within 72 hours of becoming aware of it. This countdown begins when the IT security team discovers a personal data breach, triggering the data breach notification process.

Failure to adhere to this deadline without undue delay may result in hefty fines, with potential penalties reaching up to €10 million or 2% of the company’s global annual revenues.

The importance of timely reporting

Reporting breaches promptly is not merely a suggestion; it’s a requirement. 

Quick action can minimize potential harm to data subjects and ensure compliance with GDPR regulations. Without undue delay, delaying the reporting process can result in substantial penalties.

Prompt reporting is also instrumental in managing a data breach. It ensures compliance with legal requirements and helps mitigate the potential consequences of the breach.

Exceptions to the 72-Hour Rule

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”

GDPR

While the 72-hour rule is a strict guideline, there are specific instances where organizations may be exempt. One such instance is when the personal data affected by the breach is encrypted using cutting-edge algorithms, and the encryption key remains uncompromised.

Another exemption is when the personal data breach is not expected to pose a risk to the rights and freedoms of individuals. However, even in such cases, organizations are still required to provide a contact point for further information when reporting a breach.

Identifying and assessing personal data breaches

Identifying and assessing personal data breaches are crucial steps in managing a GDPR data breach. This involves recognizing the indicators of a breach, such as sudden file changes or abnormal system behavior, and understanding the common causes, which can range from weak or stolen credentials to third-party service provider risks.

Recognizing a personal data breach

Identifying a personal data breach necessitates an understanding that breaches extend beyond unauthorized access, encompassing accidental or unlawful destruction, loss, alteration, and disclosure of personal data. Several factors can lead to personal data breaches, including weak and stolen credentials, application vulnerabilities, malware, and third-party risks.

Organizations can implement continuous cybersecurity monitoring solutions to maintain ongoing surveillance for data breaches. These solutions offer the visibility needed to identify vulnerabilities and proactively address cybersecurity concerns. Upon discovering a breach, organizations should promptly contain it and evaluate the potential adverse consequences for individuals.

Assessing the risk to data subjects

Following the identification of a data breach, the next important step is to assess the risk to data subjects. This involves evaluating the likelihood of no risk, risk, or high risk to individuals. 

High-risk instances include the matching or combining of personal data from multiple sources and the utilization of personal data of children or vulnerable individuals for marketing or automated decision-making.

The risk assessment plays a vital role in the breach management process. It enables organizations to effectively contain and respond to the breach. This includes determining the potential impact on individuals, such as the possibility of identity theft, fraud, physical danger, distress, and public exposure, and assessing the likelihood of these consequences.


Continued reading
The 10 risks you should be monitoring at your organization

While you consider which methodology to adopt, understand the risks every business should be tracking to maintain their security posture.

Top 10 risks you should include in your infosec compliance risk register icon-arrow-long

Reporting a personal data breach to supervisory authorities

After identifying and assessing a personal data breach, organizations are required to report the breach to supervisory authorities. This involves selecting the appropriate authority based on the jurisdiction where the breach has the potential to impact EU citizens’ rights and freedoms and providing the necessary information for notification.

Selecting the appropriate supervisory authority

When selecting the appropriate supervisory authority, organizations should take into account the location of their main establishment within an EU member state. As a data controller, it’s important to remember that each European Economic Area (EEA) Data Protection Authority (DPA) is entrusted with overseeing and upholding the implementation of the General Data Protection Regulation (GDPR).

The role of these authorities, including the data protection officer, is vast. Their responsibilities encompass:

  • Publication of expert advice on data protection issues
  • Enforcement of data protection law
  • Imposition of penalties for non-compliance
  • Handling of complaints
  • Initiation of legal proceedings when deemed necessary.
  • Information Required for Notification

In reporting to supervisory authorities, organizations are required to provide particular information. This includes:

  • The categories of data involved
  • An approximate count of the data records affected
  • Details about the breach
  • The measures taken or proposed to address it

In fact, organizations are accountable for carrying out investigations in the event of a data breach. Having detailed documentation helps ensure accuracy and effectiveness in the notification process.

Information required for notification

In reporting to supervisory authorities, organizations are required to provide particular information. This includes:

  • The categories of data involved
  • An approximate count of the data records affected
  • Details about the breach
  • The likely consequences of the breach
  • The measures taken or proposed to address it
  • Contact information for the DPO or other point person

In fact, organizations are accountable for carrying out investigations in the event of a data breach. Having detailed documentation helps ensure accuracy and effectiveness in the notification process.

“The notification shall at least:

  • describe the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”
GDPR

Notifying affected data subjects

Following the notification of supervisory authorities, organizations are then required to inform the affected data subjects. This is required when the breach is likely to result in a high risk to the rights and freedoms of individuals, requiring direct and prompt notification of those affected.

Criteria for individual notification

Several factors determine the criteria for individual notification. These include the severity of the breach, which can be determined by assessing the impact of the breach and the likelihood of its consequences. The potential impact on data subjects is another important factor. 

“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”

GDPR

When assessing the potential impact of a data breach on individuals, it’s crucial to consider the possible outcomes. These may include 

  • Identity theft 
  • Fraud 
  • Physical danger
  • Distress
  • Public exposure, particularly when the compromised personal data records are mismanaged or mishandled.

The next step is to evaluate the probability of these outcomes occurring.

Certain types of breaches, such as those related to medical or financial information or sensitive data like psychological or ethnic information, necessitate individual notification when personal data transmitted is compromised.

Content and delivery of data subject notification

The information included in the notification to data subjects is of utmost importance. It should include details about the personal data breach, its consequences, and the corrective measures implemented. The notification should be clear and simple, ensuring that individuals understand the situation and its potential ramifications. As per GDPR guidelines, a breach notification should be issued promptly, ideally within 72 hours of becoming aware of the breach.

The delivery of these notifications should also follow best practices. These include:

  • Establishing separate thresholds for notifying customers and authorities
  • Safeguarding individuals and their personal data
  • Maintaining an up-to-date response plan
  • Adhering to all legal and contractual obligations concerning privacy policies, consent, and data protection measures

Developing a robust breach response plan

In addition to comprehending GDPR data breach guidelines, it is of equal importance for organizations to establish a solid breach response plan. This involves outlining the key components of the plan and ensuring it’s regularly reviewed and updated to maintain its effectiveness and compliance with GDPR regulations.

Key components of a response plan

A comprehensive data breach response plan includes several key components. This involves defining roles and responsibilities within the response team, preparing pre-planning exercises, and establishing response teams and members.

Designated roles within the team can include:

  • Incident manager
  • Information security team leader
  • Communications lead
  • Documentation lead

Each role plays a crucial part in managing the breach, ensuring a prompt and structured response to contain and manage the incident effectively.

The response plan should also include steps for reporting the breach to the relevant supervisory authority and formal documentation of roles and responsibilities.

Regular review and updating

Merely having a breach response plan is insufficient. Regular review and updates are necessary to maintain its effectiveness and compliance with GDPR regulations. This involves detecting, managing, and recording incidents and breaches, as well as assessing, reporting, and notifying individuals.

Regular review and updating of the plan ensure that it aligns with explicit protocols for incident response, stringent notification obligations, and reporting deadlines outlined in the current regulations. Routine assessments, such as during the annual audit plan process, serve to avert non-compliance and the possibility of substantial penalties.

Your path to GDPR Compliance with Thoropass

Okay, that may have been a scary read. If we’ve got your attention, let us now offer some reassurance. 

Chat with our compliance experts: A free 15-minute AMA 

Let’s chat. Connect with a compliance expert to find out how GDPR applies to your business — no strings attached. Book a chat here.

Our 5-step approach makes GDPR a cinch (okay, not quite a cinch, but as easy as it can get!)

  • STEP 1: Kick-off. After a deep dive into data privacy, our experts customize your GDPR compliance roadmap
  • STEP 2: Onboarding. Get up and running with GDPR policy templates, automated vendor discovery, and clear action items
  • STEP 3: Implementation. Efficiently implement and operationalize GDPR with guided workflows, automation, and support from our experts
  • STEP 4: GDPR assessment and reporting. As a third party, Thoropass delivers a transparent assessment and report to share with customers and prospects
  • STEP 5: And beyond… Leverage our extensive platform to add frameworks, renew attestation, and ensure continuous compliance

Learn more here!

More FAQs

You should notify the Attorney General’s Office before affected individuals in case of a data breach. If more than 1,000 individuals are affected, consumer reporting agencies must also be notified. Additionally, it’s important to notify law enforcement, other affected businesses, and the affected individuals.

A “breach” according to GDPR, is an accidental or unlawful loss, access, alteration, or disclosure of personal data records, whether malicious or unintentional.

The key components of a robust breach response plan include defining roles and responsibilities, conducting pre-planning exercises, establishing response teams, and regularly reviewing and updating the plan. These elements are crucial for an effective response to a breach.


Share this post with your network:

LinkedIn