New guidance on data breaches

Under GDPR in relation to personal data breaches, data controllers are required to do the following:

  1. Notify the Data Protection Commission (DPC) that a personal data breach took place unless they can show it is unlikely to result in a risk to the data subjects
  2. Communicate the personal data breach to the data subjects affected if the breach is likely to result in a high risk to the data subjects


It can be challenging for data controllers to understand what is reportable to the DPC in terms of personal data breaches and what is a high risk to data subjects. In order to help data controllers better understand their obligations when it comes to reporting personal data breaches, the Data Protection Commission have issued a new guide in this area.


The guidance covers the following topics:

  1. What is the definition of a personal data breach? It also explains the difference between a data breach and a personal data breach.
  2. When a controller should notify the DPC of a data breach under the GDPR? This section focuses on what should be reported within 72 hours of being aware of the data breach and the need to document all breaches if they do not need to be reported.
  3. What should a notification to the DPC contain? The link to report a personal data breach can be found here.
  4. When to communicate a personal data breach to data subjects?
  5. What should a communication to a data subject contain?

Each personal data breach needs to be assessed on a case by case basis. What could be a low risk personal data breach in one scenario, for example sending an email to the wrong recipient, could be a high risk in another scenario. In the guidance they emphasis this and recommend that data controllers should also familiarise themselves with the guidelines on personal data breach notification from the Article 29 Working Party.


These guidelines expand on the above topics and in particular from page 22 to 26 it provides guidance on factors to consider when assessing the level of risk or harm the personal data breach may cause to the data subject.


You can download the DPC Guidance Note: A Quick Guide to GDPR Breach Notifications here.


The Article 29 Working Party Guideline on Personal data breach notifications can be downloaded here.


If you have a question on personal data breaches please visit or contact Helen at SFA on 01 605 1668 or at

Facebook Twitter LinkedIn Digg Yammer
In this issue
SFA E-zine - The Tuesday Edition
New guidance on data breaches
Budget 2020 submission
Brexit preparedness
Training update
Recent press coverage
SFA Employment Law Conference
Bookings now open: SFA Annual Lunch 2019
Secure Computing Forum
Are you PSD2 ready?