The Irish Data Protection Commission (DPC) has recently released new guidance on GDPR breach notifications.
The purpose of the guidance is to help data controllers understand their obligations under GDPR with respect to sending notifications to the data protection authority and subjects whose personal data has been compromised or exposed.
While the guidance has been issued for businesses operating in Ireland or otherwise collecting or processing the data of Irish data subjects, the guidance is relevant to all companies that collect or use the personal data of EU residents. The Polish data protection authority has also issued guidance for GDPR breach notifications in the past few days.
DPC confirms that entities have two primary notification obligations under GDPR. First, the breach must be reported to DPC within 72 hours of the breach being discovered, unless the breach is unlikely to result in a risk to data subjects. Data controllers should assume that all data breaches are reportable unless it can be shown that they do not present a risk to data subjects. Under GDPR, a data breach must also be communicated to affected data subjects if there is a high risk of personal information being misused.
Regardless of the decision to report, a log of all data breaches must be maintained, together with details on the cause of the breach, the actions taken, and how the decision was made not to report. In the event of an audit, compliance can be demonstrated.
The guidance clarifies what is a personal data breach under GDPR, using the definition of “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
The guidance covers the circumstances under which the data protection authority must be notified, when notifications must be issued to data subjects, what content must be included, how notifications can be communicated, and the time frames for issuing those notifications.
The guidance can be downloaded from DPC on this link