GDPR – Data Breach requirements and notification regimes
Recent high-profile data breaches demonstrate how critical it is to be ready to handle a breach. Advance planning will ensure you have a clear strategy focused on protecting and informing your customers. A detailed plan could minimise damage to your organisation’s reputation.
The EU General Data Protection Regulation (GDPR) imposes a data breach regime on all data controllers and processors handling personal data. This requires organisations to ensure data is adequately protected against loss, theft, unauthorised access etc. Data processors are obliged to report personal data breaches to controllers, and in turn controllers need to be prepared to comply with the personal data breach notification rules.
These require the following:
– The reporting of significant breaches to the supervisory authority within 72 hours
– Informing of individuals of a breach, if it is likely to result in a high privacy risk for them
– The maintenance of an internal data breach register
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.