Home Compliance StandardsGDPR What is the GDPR Data Breach Reporting Time?
GDPR

What is the GDPR Data Breach Reporting Time?

by RSI Security
written by RSI Security
access

Companies interacting with European Union (EU) member states need to protect individual citizens’ data per the General Data Protection Regulation (GDPR). The GDPR breaks down specific rights for data subjects and the responsibilities that the entities processing or controlling their data must meet. If a data breach occurs, organizations must comply with GDPR notification requirements.

 

The EU GDPR Reporting Requirements for Breach Notifications

Although most cybersecurity frameworks are designed to prevent incidents, they also build in protocols for responding to events that do occur. This includes stopping the spread of a breach, cybersecurity and service recovery, and notifying appropriate parties.

The EU GDPR is no different; there are two main Articles in Chapter 4 that specify the GDPR data breach reporting protocols and timelines:

  • Article 33, which concerns notification to a supervisory authority for security breaches
  • Article 34, which concerns communication to the parties impacted by security breaches

To maintain GDPR compliance, you’ll need to prove that you have the infrastructure in place to respond to breaches and promptly notify all appropriate parties. RSI Security can help implement these procedures.

 

GDPR Article 33: Breach Notification to Supervisory Authorities

All terms critical to understanding the GDPR breach notification timeline and reporting requirements are defined in Article 4.

For GDPR purposes, a data breach is any breach of security that could lead to unauthorized access or damage to personal data. Personal data, in turn, is any information of, about, or related to an individual that is personally identifiable (i.e., personally identifiable information, or PII). 

Data controllers are entities responsible for this data, such as executives of companies; data processors are other stakeholders who process the data but are ultimately subservient to the data controllers.

The other relevant parties for Article 33 are supervisory authorities, or the entities with legal authority over the data of individuals belonging to a given EU member state. Authority is granted by the relevant state. Article 33 concerns regulated entities reporting breaches to supervisory authorities.

 

Request a Free Consultation

 

Breach Notification Requirements and Timeline for Data Controllers

If a data breach occurs, a GDPR-compliant company must notify the legal supervisory authority without delay. GDPR data breach reporting time is specified as a 72-hour window immediately following the controller or another related party becoming aware of the data breach.

An exception to this rule and prescribed timeline exists if the data breach in question is unlikely to result in risks to the impacted parties’ rights or freedoms. Also, if notice cannot be provided within the 72-hour timeline, the controller must provide sufficient reasons to justify the delayed notification. 

 Security

Breach Reporting Timeline From Data Processor to Data Controllers

While the controller is responsible for reporting a data breach to the supervisory authority, the data processor must first report the data breach to the controller. Given that the data processor has a closer proximal relationship with the data than the controller, it’s more likely for processors to be aware of a breach first. If the data controller becomes aware of the data breach before the processor does, they may disregard this part of the protocol.

 

Further Requirements for Breach Reporting to a Supervisory Authority

Beyond the 72-hour timeline, Article 33 also specifies requirements for EU GDPR data breach reporting; namely, the report provided to the supervisory authority by the data controller must:

  • Describe the nature of the data breach, including the categories and number of data subjects impacted, along with the categories and number of actual records impacted.
  • Communicate contact information for the Data Protection Officer (DPO) that impacted parties can contact to receive further information and updates pertaining to their data.
  • Describe any consequences of the data breach that are likely to impact data subjects.
  • Describe any measures taken by the controller to address the data breach or its effects.

 

Stipulation for Breach Reporting of Partial or Incomplete Information

Data breach reports are required and expected to be complete. However, in situations where all information is not available at the time of initial notification, GDPR allows for information to be provided in phases. Despite this, all information should be communicated as soon as it is available.

 

Retention of Information Pertaining to Breaches and Breach Reporting

Finally, Article 33 states that data controllers must document all data breaches. This includes all facts related to the breach itself, facts or data related to its impacts, and all records pertaining to remedial actions taken to address the breach and communicate it to stakeholders, per GDPR requirements. This information may be used to verify compliance with GDPR Article 33.

 

GDPR Article 34: Breach Notification to Impacted Data Subjects

Article 34 concerns notice provided directly to data subjects impacted by a data breach, coming from the data controller or a representative appointed by the controller. This notification operates irrespective of the notice given to the supervisory authority, per Article 33. However, as the final stipulation below details, reporting to a supervisory authority can affect the data controller’s responsibilities in notifying data subjects impacted by a data breach.

 laptop

Immediate Breach Communication to Data Subject for Critical Cases

The data controller must provide immediate notice to impacted parties as soon as possible in critical data breaches. These are defined as cases in which a data breach is likely to result in high risks to any impacted data subjects’ rights or freedoms. The undue delay is not a specific GDPR breach notification timeline like the 72-hour window specified for notice to the supervisory authority Article 33. However, any evidence of a delay in reporting may constitute a violation.

 

Requirements for Clear, Complete Communication of Breach Details

The data breach report sent to impacted data subjects must detail all information pertaining to their respective data. It must also include any details of the overall breach that may concern them, including categories and amounts of data impacted, as in Article 33. This information must also be communicated in a clear and accessible manner (i.e., plain language).

 

Conditions Under Which Breach Communication is Not Necessary

Article 34 also stipulates scenarios in which none of the requirements above apply. Namely, if any of the following conditions are met, breach communication to data subjects is not required:

  • If the data controller implements organizational or technical measures to protect any data affected by a breach, such that the files compromised have been rendered wholly unreadable by unauthorized viewers (i.e., through encryption), no report is required.
  • If the data controller implements cyberdefense measures that neutralize or completely eliminate risk factors that make a data breach critical (see above), no report is required.
  • If the data controller would need to exert disproportionate effort to contact each person and entity impacted individually, the data controller may engage in public disclosure through a media outlet or other equally effective method; no individual reports are required.

 

Stipulations Pertaining to Breach Communication Requirements

Finally, Article 34 ends with a disclaimer granting ultimate authority over breach communication to the supervisory authority.

In situations in which a data controller has not provided notice to a party impacted by a data breach, their reasons for doing so likely involve:

  • Their assessment of the risks involved (i.e., deeming the breach low-risk)
  • Their assumption that one of the conditions that negate reporting responsibilities applies

However, the supervisory authority can override the data controller’s judgment in either case and require notification.

 

Facilitate Your GDPR Breach Reporting with RSI Security

If your company collects, stores, processes, or otherwise comes into contact with data of or pertaining to EU citizens, you almost certainly need to maintain GDPR compliance. So, you’ll need to comply with the GDPR notification requirements.

For that, you need visibility infrastructure in place to detect a breach as soon as it happens, along with risk assessment functionalities to accurately gauge threats posed by breaches. Finally, you’ll need open, secure communication channels to supervisory authorities and impacted data subjects.

RSI Security can help you re-think all elements of GDPR-compliant data breach reporting, along with every other part of GDPR compliance—contact us today to start!

 

Request a Free Consultation

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

How to Make Your Website GDPR Compliant: A...

August 16, 2019

GDPR Privacy Policy Checklist 2023

March 2, 2023

What GDPR Means for These Five Industries

April 6, 2020

What is a GDPR Data Subject Rights Request? 

March 17, 2021

How Are E-Commerce Websites Affected By GDPR Regulations?

September 13, 2019

Challenges of Managing Personally Identifiable Information

December 24, 2019

The GDPR Data Breach Reporting Timeline

March 11, 2021

How Does GDPR Affect B2B Sales?

October 6, 2022

Canada’s PIPEDA vs. EU’s GDPR: What’s the Difference?

September 3, 2020

Are you ready for GDPR enforcement?

June 20, 2018

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More