So you have suffered a security incident, caused either by the human error (23%), system glitches (25%), or malicious attacks (52%). You will have to make prompt decisions and put your Incident Respons plan into action (if you are lucky to have one).
While most of your efforts will go into securing the data, preventing financial losses, and minimizing the impact of the incident you have one more thing to worry about. That is personal data.
GDPR (General Data Protection Regulation) requires you to stay compliant during the incident and report the data breach no later than 72 hours after becoming aware of a personal data breach.
However, not every breach requires you to notify the supervisory authority.
Difference between a personal data breach and a security incident
Not every security breach is considered to be a personal data breach, but every personal data breach is a security incident. Why is that important?
Because if personal data were exposed during the incident, you will (most probably) have to comply with strict GDPR-rules about notifying supervisory authority and, in some cases, individuals about the breach.
The consequence of such a breach is that you will be unable to ensure compliance with the principles relating to personal data processing.
When should you report a breach to supervisory authority?
If any personal data breach occurs, you need to immediately, and no later than 72 hours after becoming aware of a personal data breach, notify a national supervisory authority and, in certain cases, communicate the breach to the individuals whose personal data have been affected by the breach.
However, only if data breach imposes severe risks to an individual’s rights and freedoms. If it is likely that there will be a risk then you must notify the supervisory authority. If it is highly unlikely that the breach would affect personal data, then you are not obligated to report it.
How to define the severity of the impact?
Risks can vary from material to non-material damages, identity theft, fraud, significant economic or social disadvantage to the natural person, and many more, so you will have to take all this into account.
You can read more about it here: Reporting data breach under the GDPR