Under GDPR in relation to personal data breaches, data controllers are required to do the following:
- Notify the Data Protection Commission (DPC) that a personal data breach took place unless they can show it is unlikely to result in a risk to the data subjects
- Communicate the personal data breach to the data subjects affected if the breach is likely to result in a high risk to the data subjects
It can be challenging for data controllers to understand what is reportable to the DPC in terms of personal data breaches and what is a high risk to data subjects. In order to help data controllers better understand their obligations when it comes to reporting personal data breaches, the Data Protection Commission have issued a new guide in this area.
The guidance covers the following topics:
- What is the definition of a personal data breach? It also explains the difference between a data breach and a personal data breach.
- When a controller should notify the DPC of a data breach under the GDPR? This section focuses on what should be reported within 72 hours of being aware of the data breach and the need to document all breaches if they do not need to be reported.
- What should a notification to the DPC contain? The link to report a personal data breach can be found here.
- When to communicate a personal data breach to data subjects?
- What should a communication to a data subject contain?
Each personal data breach needs to be assessed on a case by case basis. What could be a low risk personal data breach in one scenario, for example sending an email to the wrong recipient, could be a high risk in another scenario. In the guidance they emphasis this and recommend that data controllers should also familiarise themselves with the guidelines on personal data breach notification from the Article 29 Working Party.
These guidelines expand on the above topics and in particular from page 22 to 26 it provides guidance on factors to consider when assessing the level of risk or harm the personal data breach may cause to the data subject.
You can download the DPC Guidance Note: A Quick Guide to GDPR Breach Notifications here.
The Article 29 Working Party Guideline on Personal data breach notifications can be downloaded here.
If you have a question on personal data breaches please visit www.sfa.ie/advice or contact Helen at SFA on 01 605 1668 or at email@example.com.