Companies interacting with European Union (EU) member states need to protect individual citizens’ data per the General Data Protection Regulation (GDPR). The GDPR breaks down specific rights for data subjects and the responsibilities that the entities processing or controlling their data must meet. If a data breach occurs, organizations must comply with GDPR notification requirements.
The EU GDPR Reporting Requirements for Breach Notifications
Although most cybersecurity frameworks are designed to prevent incidents, they also build in protocols for responding to events that do occur. This includes stopping the spread of a breach, cybersecurity and service recovery, and notifying appropriate parties.
The EU GDPR is no different; there are two main Articles in Chapter 4 that specify the GDPR data breach reporting protocols and timelines:
- Article 33, which concerns notification to a supervisory authority for security breaches
- Article 34, which concerns communication to the parties impacted by security breaches
To maintain GDPR compliance, you’ll need to prove that you have the infrastructure in place to respond to breaches and promptly notify all appropriate parties. RSI Security can help implement these procedures.
GDPR Article 33: Breach Notification to Supervisory Authorities
All terms critical to understanding the GDPR breach notification timeline and reporting requirements are defined in Article 4.
For GDPR purposes, a data breach is any breach of security that could lead to unauthorized access or damage to personal data. Personal data, in turn, is any information of, about, or related to an individual that is personally identifiable (i.e., personally identifiable information, or PII).
Data controllers are entities responsible for this data, such as executives of companies; data processors are other stakeholders who process the data but are ultimately subservient to the data controllers.
The other relevant parties for Article 33 are supervisory authorities, or the entities with legal authority over the data of individuals belonging to a given EU member state. Authority is granted by the relevant state. Article 33 concerns regulated entities reporting breaches to supervisory authorities.
Breach Notification Requirements and Timeline for Data Controllers
If a data breach occurs, a GDPR-compliant company must notify the legal supervisory authority without delay. GDPR data breach reporting time is specified as a 72-hour window immediately following the controller or another related party becoming aware of the data breach.
An exception to this rule and prescribed timeline exists if the data breach in question is unlikely to result in risks to the impacted parties’ rights or freedoms. Also, if notice cannot be provided within the 72-hour timeline, the controller must provide sufficient reasons to justify the delayed notification.
Breach Reporting Timeline From Data Processor to Data Controllers
While the controller is responsible for reporting a data breach to the supervisory authority, the data processor must first report the data breach to the controller. Given that the data processor has a closer proximal relationship with the data than the controller, it’s more likely for processors to be aware of a breach first. If the data controller becomes aware of the data breach before the processor does, they may disregard this part of the protocol.
Further Requirements for Breach Reporting to a Supervisory Authority
Beyond the 72-hour timeline, Article 33 also specifies requirements for EU GDPR data breach reporting; namely, the report provided to the supervisory authority by the data controller must:
- Describe the nature of the data breach, including the categories and number of data subjects impacted, along with the categories and number of actual records impacted.
- Communicate contact information for the Data Protection Officer (DPO) that impacted parties can contact to receive further information and updates pertaining to their data.
- Describe any consequences of the data breach that are likely to impact data subjects.
- Describe any measures taken by the controller to address the data breach or its effects.
Stipulation for Breach Reporting of Partial or Incomplete Information
Data breach reports are required and expected to be complete. However, in situations where all information is not available at the time of initial notification, GDPR allows for information to be provided in phases. Despite this, all information should be communicated as soon as it is available.
Retention of Information Pertaining to Breaches and Breach Reporting
Finally, Article 33 states that data controllers must document all data breaches. This includes all facts related to the breach itself, facts or data related to its impacts, and all records pertaining to remedial actions taken to address the breach and communicate it to stakeholders, per GDPR requirements. This information may be used to verify compliance with GDPR Article 33.
GDPR Article 34: Breach Notification to Impacted Data Subjects
Article 34 concerns notice provided directly to data subjects impacted by a data breach, coming from the data controller or a representative appointed by the controller. This notification operates irrespective of the notice given to the supervisory authority, per Article 33. However, as the final stipulation below details, reporting to a supervisory authority can affect the data controller’s responsibilities in notifying data subjects impacted by a data breach.
Immediate Breach Communication to Data Subject for Critical Cases
The data controller must provide immediate notice to impacted parties as soon as possible in critical data breaches. These are defined as cases in which a data breach is likely to result in high risks to any impacted data subjects’ rights or freedoms. The undue delay is not a specific GDPR breach notification timeline like the 72-hour window specified for notice to the supervisory authority Article 33. However, any evidence of a delay in reporting may constitute a violation.
Requirements for Clear, Complete Communication of Breach Details
The data breach report sent to impacted data subjects must detail all information pertaining to their respective data. It must also include any details of the overall breach that may concern them, including categories and amounts of data impacted, as in Article 33. This information must also be communicated in a clear and accessible manner (i.e., plain language).
Conditions Under Which Breach Communication is Not Necessary
Article 34 also stipulates scenarios in which none of the requirements above apply. Namely, if any of the following conditions are met, breach communication to data subjects is not required:
- If the data controller implements organizational or technical measures to protect any data affected by a breach, such that the files compromised have been rendered wholly unreadable by unauthorized viewers (i.e., through encryption), no report is required.
- If the data controller implements cyberdefense measures that neutralize or completely eliminate risk factors that make a data breach critical (see above), no report is required.
- If the data controller would need to exert disproportionate effort to contact each person and entity impacted individually, the data controller may engage in public disclosure through a media outlet or other equally effective method; no individual reports are required.
Stipulations Pertaining to Breach Communication Requirements
Finally, Article 34 ends with a disclaimer granting ultimate authority over breach communication to the supervisory authority.
In situations in which a data controller has not provided notice to a party impacted by a data breach, their reasons for doing so likely involve:
- Their assessment of the risks involved (i.e., deeming the breach low-risk)
- Their assumption that one of the conditions that negate reporting responsibilities applies
However, the supervisory authority can override the data controller’s judgment in either case and require notification.
Facilitate Your GDPR Breach Reporting with RSI Security
If your company collects, stores, processes, or otherwise comes into contact with data of or pertaining to EU citizens, you almost certainly need to maintain GDPR compliance. So, you’ll need to comply with the GDPR notification requirements.
For that, you need visibility infrastructure in place to detect a breach as soon as it happens, along with risk assessment functionalities to accurately gauge threats posed by breaches. Finally, you’ll need open, secure communication channels to supervisory authorities and impacted data subjects.