Reporting a data breach in 72 hours?

So you have suffered a security incident, caused either by the human error (23%), system glitches (25%), or malicious attacks (52%). You will have to make prompt decisions and put your Incident Respons plan into action (if you are lucky to have one).

While most of your efforts will go into securing the data, preventing financial losses, and minimizing the impact of the incident you have one more thing to worry about. That is personal data.

GDPR (General Data Protection Regulation) requires you to stay compliant during the incident and report the data breach no later than 72 hours after becoming aware of a personal data breach.

However, not every breach requires you to notify the supervisory authority.

Difference between a personal data breach and a security incident

Because if personal data were exposed during the incident, you will (most probably) have to comply with strict GDPR-rules about notifying supervisory authority and, in some cases, individuals about the breach.

The consequence of such a breach is that you will be unable to ensure compliance with the principles relating to personal data processing.

When should you report a breach to supervisory authority?

However, only if data breach imposes severe risks to an individual’s rights and freedoms. If it is likely that there will be a risk then you must notify the supervisory authority. If it is highly unlikely that the breach would affect personal data, then you are not obligated to report it.

How to define the severity of the impact?

You can read more about it here: Reporting data breach under the GDPR

Product marketing specialist for Data Privacy Manager