The data breach notification requirements under GDPR will be completely different to the existing ones. The regulation tends to move away from the current general alerts and introduces a new method that embraces policies and procedures. Under this new legislation, companies must report any data breach that if left unaddressed may have a detrimental effect on a person such as inflicting financial loss, reputation damage, loss of confidentiality, discrimination or any other major social or economic detriment.
Data Controllers GDPR
GDPR includes references to data controllers and processors and each of them will have different reporting obligations. Data Controllers are those companies that have regulatory authorities in relation data processing. They have a duty to make a governmental notification. Once they are aware of a data breach, the new regulation requires them to notify the supervising authority without unnecessary delay. GDPR sets the upper maximum for notification when it becomes completely clear that a breach has happened to be 72 hours. In this case, breach notifications will not be made after 72 hours from the time of happening. Should a controller fails to comply with this requirement, they will have to give reaons their delay.
Data Processors GDPR
Data Processors are varieties of businesses that receive instructions from the controllers to process data on their behalf. They are not subject to the 72 hours requirement. Their main obligation in relation to notification is to inform the data controller about data breach when it becomes obvious that it has occurred without delays. This implies that data processors have less obligations than controllers.
Both data controllers and processors will not be asked to make a notification if the violation is unlikely to endanger the rights and freedoms of people. However, companies are required to keep a record of all breaches that happened, how and why such breaches incurred in their organization.
GDPR Notification Documentation Requirement
GDPR specifies what must be included in the government notifications submitted by the controllers. The data controllers must complete a description of the data breach. In this description, they must state the types of data affected, the amount of data breached and the number of individuals affected. The controllers must give the contact details of the groups DPO or of the person acting in that capacity who can be contacted for information about the breach by the data subjects. They will also have to describe the consequences of the breach. The law also requires them to supply a record of the security measures they have developed to secure individuals’ personal data and prevent adverse effects from the violation.
Data controllers will be asked to make contact every affected data subject separately. This will be mandatory if the breach endangers their rights and freedom. The controllers are asked to do so that immediately. In this GDPR notification, the data controllers will have to include a description of the breach that occurred.