Notifying the Commissioner
Controllers must notify the Commissioner if a personal data breach is likely to result in a risk to the rights and freedoms of an individual. If a breach is unlikely to lead to a risk to an individual then it is not necessary to notify the breach to the Commissioner. If a processor becomes aware of a breach, it must report that breach to the relevant controller.
The theft of personal data from a database should be notified, as this is likely to have an impact upon individuals who could suffer financial loss or other consequences. In contrast, the loss or unauthorised alteration of an internal staff telephone list is unlikely to result in a risk to an individual and does not need to be notified.
How long do we have to report a breach?
The Commissioner must be notified of a personal data breach without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give good reason for the delay.
Section II of the Article 29 Working Party Guidelines on personal data breach notification gives more details of when a controller can be considered to have “become aware” of a breach. These Guidelines have been endorsed by the European Data Protection Board and can be found at: https://edpb.europa.eu/our-work-tools/our-documents/guideline/personal-data-breach-notifications_en (correct as at 5 June 2018)
How to report a breach
When reporting a breach, the ‘Applied GDPR’ says you must provide a description of the nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned;
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
In the case of a breach affecting individuals in EU countries, you may need to identify which EU data protection authority(ies)must be notified.
When appropriate, a controller should also consider informing other parties such as the police, insurers, professional bodies, or bank or credit card companies who may be able to mitigate the risk, for example by reducing the risk of financial loss to individuals.
What if we don’t have all the required information available yet?
It is recognised that it will not always be possible to fully investigate a breach and understand exactly what happened and what needs to be done to mitigate it, within 72 hours. Where a controller cannot furnish all the required information in the initial report then, provided there is no undue delay in doing so, further information may be provided at a later date.