The General Data Protection Regulation (GDPR) is a broad set of regulations that dictate how a company handles the personal data of citizens within the European Union. Articles 33 and 34 of the GDPR outlines the requirements to notify both a supervisory authority and affected data subjects in the event of a data breach.
While the details of what an organization needs to report in the event of a breach is defined within the legislation, when to report a data breach and which authority you should report the incident to are not as clear. Do you know when your organization should report a data breach, what you need to report, and where to report it to stay GDPR compliant?
When to report a data breach under GDPR
According to the GDPR legislation, an organization must report a data breach to a data protection authority (DPA), also known as a supervisory authority (SA), if there an incident “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” that leads to a potential risk to people’s rights and freedoms. The European Data Protection Supervisor (EUDPS) advice notes that while not every information security incident is a personal data breach, every personal data breach is an information security incident.
If the breach could result in “loss of control over their personal data or limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned,” as listed in Recital 85 of GDPR, a company is required to report the incident.