Your essential guide to managing a GDPR data breach

hands with gloves typing on laptop

A GDPR data breach can be devastating. Understanding and reacting appropriately is vital. If you or your organization is faced with handling such a scenario, this guide clarifies the steps required by GDPR, the deadlines to observe, and the strategies to mitigate repercussions. 

Key takeaways

  • A GDPR data breach is defined as unauthorized access, loss, alteration, or destruction of personal data; understanding its various forms and knowing what constitutes personal data under GDPR is crucial for prevention and compliance.
  • Organizations must report specific types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of them. Not all breaches require notification, but failure to comply with this requirement can lead to substantial fines and other enforcement actions.
  • Proactive measures, including devising an Incident Response Plan, appointing a Data Protection Officer, and establishing robust data security practices such as encryption and regular risk assessments, are paramount to minimize data breach risks and maintain GDPR compliance.

Understanding GDPR data breaches

So, what exactly is a GDPR data breach? It’s more than just loss or theft of data. The GDPR defines a personal data breach as a security incident that results in:

  • Accidental or unlawful destruction
  • Loss
  • Alteration
  • Unauthorized disclosure or access to personal data

A personal data breach can profoundly affect individuals’ privacy and data protection. Remember: The data at stake here is personal, sensitive, and valuable. It’s the kind of information that can be exploited for identity theft, fraud, and other cybercrimes. 

Personal data and GDPR

Under the GDPR, personal data is any information related to an identified or identifiable living individual. In other words, if it can be used to directly or indirectly identify a person, it’s personal data. 

The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Even if the personal data transmitted has been de-identified, encrypted, or pseudonymized, it still falls under the realm of GDPR as long as it can be used to re-identify an individual. It’s like a jigsaw puzzle: Even if the pieces are scattered, they hold value as long as they can be assembled to form a picture.

However, data that has been rendered fully anonymous, ensuring the individual is not identifiable, is not classified as personal data according to GDPR. To continue the simile: That’s less like a jigsaw and more like a shredded document that can’t be put back together.

Furthermore, GDPR’s application to personal data is technology-agnostic, encompassing both automated and manual processing across all forms of storage. This includes everything from digital databases to physical personal data records. So, whether it’s names, addresses, email addresses, ID card numbers, or online identifiers, it’s all personal data under GDPR, and the personal data records concerned are subject to the same regulations.

Common causes of data breaches

Let’s explore some common causes of data breaches. Understanding these causes can help you strengthen your organization’s defenses.

Weak and stolen credentials, application vulnerabilities, and malware are often used in cyberattacks to bypass security and gain unauthorized access to data. 

But that’s not all: Social engineering tactics are employed to deceive individuals into providing access to sensitive data, leading to breaches. Even within an organization, excessive permissions and insider threats can result in data being copied, altered, or stolen by those with authorized access.

User error, often related to improper configuration of systems, is another prevalent cause of data breaches due to mistakes in handling sensitive information. 

Finally, let’s not forget physical attacks, such as unauthorized entry to secure facilities, which represent a distinct threat to data security.

The 72-hour Rule: Reporting a data breach under GDPR

Under GDPR, organizations must report certain types of personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. This is known as the 72-hour rule. 

But it goes further than mere reporting: Organizations are obliged to begin an investigation urgently, allocate sufficient resources, and report the breach within this 72-hour period, even if full details are not yet available. 

Remember, these rules apply to any entity established in the EU or those that process the personal data of EU residents. So, whether you’re in the heart of Europe or halfway across the world, if you’re dealing with the personal data of EU residents, the 72-hour rule applies to you. The European Data Protection Board is crucial in ensuring compliance with these regulations.

Flags of GDPR countries in the European Union on display
Recommended reading
Which countries are covered by GDPR?
Which countries are covered by GDPR icon-arrow-long

An efficient system is crucial to detect and report breaches promptly. This system should include clear procedures for staff to follow in the event of a data breach, ensuring swift action to mitigate any potential harm.

Read more: Understanding the GDPR breach notification timeline: A step-by-step guide

When to notify data protection authorities

Not all breaches are created equal. Data breaches should be assessed on a case-by-case basis to determine the risk to the rights and freedoms of individuals. As indicated by Article 4(12), the GDPR only applies when there is a personal data breach.

In the event of a personal data breach, the following steps should be taken:

  • Data processors are required to inform data controllers without undue delay.
  • Data controllers must then notify the lead supervisory authority, unless the breach is unlikely to result in a risk to individuals
  • Notifications to supervisory authorities must include detailed information, such as the categories of data involved and the measures taken or proposed to remedy the breach
  • Regardless of whether a breach is reported or not, all personal data breaches need to be documented, with records of the facts, effects, and remedial action taken

These steps are necessary to ensure accountability under GDPR.

Consequences of late or inadequate reporting of a personal data breach

Failing to notify the relevant supervisory authority of a notifiable breach can result in a significant fine. It’s not just a slap on the wrist. The stakes are high, with organizations potentially being fined up to £8.7 million or 2% of their global turnover for failing to report a data breach in compliance with GDPR.

But it’s more than just financial penalties. Non-compliance can also result in supervisory authorities enforcing compliance through various measures.  Specifically, not reporting a data breach within the 72-hour timeframe can incur additional fines and penalties. Therefore, punctuality and thoroughness in reporting are crucial in managing a GDPR data breach.

Crafting an effective data breach response plan

When a data breach occurs, it’s easy to panic. But with a comprehensive data breach response plan, you can confidently navigate the situation. Such a plan is essential to:

  • Minimize the potential impact on both users and the organization
  • Ensure compliance with GDPR
  • Limit damage

Developing an Incident Response Plan (IRP) that addresses all phases of a data breach is fundamental to managing data breaches effectively under GDPR. This includes establishing robust breach detection, investigation, and internal reporting procedures. Upon identifying a breach, immediate steps include containment and assessment of the potential adverse consequences for individuals.

An effective data breach response plan also encompasses steps such as communication protocols, which guide the organization during a breach incident. Remember, this plan must be regularly reviewed and updated to maintain relevance with the current GDPR requirements and to cope with new security threats. It’s not a one-time effort but a continuous process of improvement.

Roles and responsibilities

In the event of a data breach, it’s all hands on deck. Everyone has a role to play. Designating a Data Protection Officer enhances an organization’s compliance readiness and data protection capabilities.

Data controllers are responsible for working with processors to ensure timely breach notification. In case of a data breach, processors are mandated to inform the data controller without undue delay. The responsibilities within a breach response team can include:

  • Incident management
  • Information security leadership
  • Communication oversight
  • Ensuring proper documentation

Communication and documentation

The GDPR mandates that all organizations keep a record of any personal data breaches, detailing the facts, effects, and remedial actions taken. 

Documenting breaches enables supervisory authorities to verify compliance with GDPR. Lack of such documentation can result in scrutiny and consequences for non-compliance. Therefore, records of data breaches must be clear and comprehensive, allowing for verification of the breach’s nature, response actions taken, and the decision-making process.

Effective GDPR data breach communication involves:

  • Coordinated efforts between legal and PR teams
  • Ensuring messages are empathetic and transparent to maintain trust with stakeholders
  • Being open, honest, and accountable

Informing data subjects about a data breach

When a data breach occurs, it isn’t just the supervisory authorities that need to know. Organizations must also inform data subjects—the people whose personal data has been compromised—about a data breach when it is likely to result in a high risk to their rights and freedoms. It’s about respecting the rights of individuals and giving them the information they need to protect themselves.

Article 34(1) of the GDPR states: “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”

Notifying data subjects about a data breach must be done without delay. The notice should include:

  • A description of the nature of the breach
  • The name and contact details of the data protection officer or other contact point
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects

If direct notification to data subjects would involve disproportionate effort, alternate methods like public communication may be used, as long as they inform data subjects in an equally effective manner. It’s all about communication that is timely, clear, and respectful.

When to notify data subjects

But when exactly should you notify data subjects? Data subjects must be notified if the breach will likely result in a high risk to their rights and freedoms. The GDPR underscores the need for a subjective assessment, focusing on the nature, severity, and potential consequences of the breach, to determine this level of risk.

Notifying data subjects is optional if the data breach is unlikely to result in a high risk to their rights and freedoms. The decision to notify data subjects (or not) hinges on evaluating the risk presented to the rights and freedoms of natural persons. It’s a delicate balancing act, weighing the severity of the breach against the potential impact on individuals.

Preventive measures to mitigate data breach risks

As the saying goes, prevention is better than cure. This is especially true for data breaches. Implementing robust security measures such as encryption and Data Loss Prevention (DLP) tools is essential to protect personal data in compliance with GDPR mandates. 

But it’s not just about technology. Organizations should also develop strong internal policies, including: 

  • Breach detection
  • Reporting procedures
  • Fostering a culture of data privacy through employee training

Furthermore, Identity and Access Management (IDAM) practices should be implemented to strictly control access to personal data. And don’t forget about third-party risk management, which involves managing and monitoring risks associated with vendors who process personal data. It’s a multi-faceted approach that covers all bases.

Data security best practices

So, what are some data security best practices to protect personal data under GDPR? 

  • Encryption is a crucial technical protection measure that can render personal data unintelligible to anyone not authorized to access it. 
  • Pseudonymization is another GDPR-recommended technical measure, providing security by ensuring personal data cannot be attributed to a specific data subject without additional information. 
  • Organizational measures include ensuring adequate protections are in place for data processing activities, including those implemented by third-party processors. 

Regular Data Protection Impact Assessments help uphold GDPR’s ‘protection by design and by default’ principles by identifying and mitigating risks in specific data processing activities. 

Regular risk assessments

Regular risk assessments are like regular health check-ups—they can identify potential issues before they become serious problems. GDPR risk assessments are a systematic process for identifying, evaluating, and mitigating risks associated with processing personal data. 

Establishing a risk assessment framework with clear criteria and thresholds guides the assessment process and ensures a thorough analysis of risks. Each data processing activity should be regularly assessed against GDPR rules to identify areas of non-compliance and develop remediation plans. 

The risk assessment should focus on the potential negative consequences for individuals, assessing the severity and likelihood of adverse effects. 

How Thoropass can help with GDPR compliance

Every data breach is unique, and managing it requires a nuanced approach. It’s about staying vigilant, being prepared, and acting swiftly and effectively when a breach occurs. Connect with our compliance experts to find out how GDPR applies to your business — no strings attached. Book a chat here.

Our 5-step approach makes GDPR a cinch (okay, not quite a cinch, but as easy as it can get!)

  • STEP 1: Kick-off. After a deep dive into data privacy, our experts customize your GDPR compliance roadmap
  • STEP 2: Onboarding. Get up and running with GDPR policy templates, automated vendor discovery, and clear action items
  • STEP 3: Implementation. Efficiently implement and operationalize GDPR with guided workflows, automation, and support from our experts
  • STEP 4: GDPR assessment and reporting. As a third party, Thoropass delivers a transparent assessment and report to share with customers and prospects

More FAQs

You should notify the Attorney General’s Office before affected individuals in case of a data breach. If more than 1,000 individuals are affected, consumer reporting agencies must also be notified. Additionally, it’s important to notify law enforcement, other affected businesses, and the affected individuals.

A “breach” according to GDPR, is an accidental or unlawful loss, access, alteration, or disclosure of personal data records, whether malicious or unintentional.

The key components of a robust breach response plan include defining roles and responsibilities, conducting pre-planning exercises, establishing response teams, and regularly reviewing and updating the plan. These elements are crucial for an effective response to a breach.


Share this post with your network: