GDPR

Achieving GDPR Data Breach Notification Compliance: Best Practices

achieving-gdpr-data-breach-notification-compliance

Have you considered what to do in case a data breach occurs? GDPR compliance requires data breach notification procedures for businesses that process and monitor personal EU citizen data.

In this article, we’ll explore GDPR data breach notification compliance requirements, including timelines, best practices, and internal and external reporting requirements.

Let’s dive right in.

General Data Protection Regulation Overview

The GDPR is a set of regulations passed by the EU to protect EU citizens’ data.

It is the most comprehensive data protection law in the world currently and has seven principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

This sixth one, integrity and confidentiality, is of vital importance for our discussion here as it deals with processing data securely and protecting it from unlawful and unauthorized processing, accidental loss, damage, or destruction.

If a data breach occurs and you have failed the 6th principle of GDPR, your company may face one of two potential types of fines:

  1. €10 million or 2% of annual revenue (whichever is higher) for less severe infractions
  2. €20 million or 4% of annual revenue (whichever is higher) for more severe infractions

GDPR Data Breach Notification Requirements

The GDPR data breach notification is a message sent by your business to customers whose data may have been compromised in the incident.

It serves to achieve the following:

  1. Inform users of the breach
  2. Communicate the steps you will take to address it
  3. Advise the users on the steps they should take to reduce the risk to their data
  4. Show accountability by providing timely and accurate information about the breach

What Constitutes a Data Breach Under GDPR?

The GDPR very clearly defines a “data breach” in Article 4 of the GDPR as:

“Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

The European Commission has a similar definition of a data breach, which says:

“A data breach occurs when the data for which your company/organization is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity.”

GDPR Data Breach Notification Timeline

Under Article 33 of the GDPR, organizations must notify relevant authorities within a maximum period of 72 hours after becoming aware of any data breach that might occur.

Elements of GDPR Data Breach Notification

The same article also specifies in Act 3 the required elements of a personal data breach notification, or how it should look like.

These requirements are:

  1. The notification should describe the nature of a data breach, including, if possible, categories and numbers (approximate) of both affected data subjects and personal data
  2. The notification should provide the name and contact information of the data protection officer (DPO) or another contact in the company, like a chief privacy officer (CPO)
  3. It should also describe the possible effects of a data breach and,
  4. The notification should outline the measures your business will take or propose to address the data breach

Data Breach Response and Mitigation

Although reporting the data breach timely and truthfully is essential for transparency and trust, more is needed to solve the problem.

You also have to take appropriate actions to respond and remedy the breach.

Here are the additional steps you must take to address the breach:

  • Inform the DPO of your organization: The moment you identify the data breach, you should inform the data protection officer of your organization, who will then take charge of the issue
  • Determine the scope and potential impact of the incident: Namely, you should identify what data has been breached and which users’ or data subjects’ personal or financial data might be compromised
  • Notify the affected data subjects and the authorities of the breach
  • Take measures to contain and minimize: Further unauthorized access to the sensitive data of your consumers
  • Review your existing security measures: Ensure you have the appropriate security measures in place as that may help you and update security measures if necessary, and continue monitoring the situation

Tony Foley, a consultant at Wolters Kluwer Legal & Regulatory U.S. says:

"Internally, businesses should have an incident response team in place to immediately put its response plan in place the moment a data breach is discovered. Externally, the GDPR requires controllers to notify the national supervisory authority of a breach without undue delay and within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons."

The GDPR’s Article 33 clearly states the timetable in which a business should report a data breach.

Again, you have 72 hours to report this to the relevant authorities.

Although the regulation doesn’t say anything about internal reporting, it’s clear that the timetable here is even narrower.

Once you identify the data breach, report it immediately to the DPO or person responsible for data protection in your organization so they can take appropriate action, including crafting a GDPR data breach notification and conducting a plan of action.

You also need to report the data breach to the relevant supervisory authorities.

Article 51 GDPR (Supervisory Authority) states that:

“Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.”

Here’s the list of data protection authorities (DPA) for each Member State.

Communicating with Affected Individuals

Communicating the data breach incident with the affected individuals certainly won’t be easy. Your customers won’t be happy to hear this at all.

However, not communicating a data breach is much worse. This way, you risk alienating your customers and incurring legal penalties.

Tony Foley says:

"The GDPR requires data controllers subject to a breach to notify data subjects without undue delay of the nature of the breach, the likely consequences, and the measures being taken to address it, as well as the name and contact information of the DPO or other contact person. Specific modes of communication are not specified, but generally would include contact by e-mail, regular mail, phone, or “substitute notice” in mass media, as appropriate."

Now, here's how to craft the actual message for the data breach notification:

Crafting Effective Data Breach Notifications

Article 34 of GDPR (Communication of a Personal Data Breach to the Data Subject) provides clear guidelines for how you should communicate the incident:

“The communication to the data subject… shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in… Article 33.”

Here’s what an effective GDPR data breach notification looks like:

Personal Data Breach Notification

Dear [Customer Name]

We regret to inform you that on [Date of Breach] we have suffered a personal data breach, which affected a portion of our user base. We are writing to provide you with the necessary information regarding this incident and the measures we will undertake to address the situation.

Nature of Data Breach

On [Date of Breach] our IT security team detected unauthorized access to our customer database. The resulting data breach affected the following user information:

  1. Full names
  2. Email addresses
  3. Billing addresses
  4. Phone numbers

At this stage, we have not detected any breach regarding user passwords or financial data such as credit card numbers or bank account details as this information is protected by strict security measures, including end-to-end encryption and cryptography.

Possible Effects of a Data Breach

Although the incident did not compromise any financial data, we are fully aware of the potential impact it may have on our users. This information can be used for malicious activities, including targeted phishing campaigns. We advise extra caution with any unsolicited communication, especially if it involves sensitive data.

Measures to Address the Data Breach

We will take several steps to address the data breach and prevent another incident of its kind, including:

  1. Perform a detailed analysis of the breach to determine its extent and identify potential security vulnerabilities
  2. Review our internal security policies and how they align with GDPR and other relevant data protection and privacy laws
  3. Update and reinforce our data security infrastructure to minimize the risk of future data breaches
  4. Provide additional data protection and security awareness training and education to our employees

We also recommend that you take the following measures to protect your sensitive data:

  1. Closely monitor your financial accounts for any suspicious and unusual activity
  2. Avoid sharing personal and financial information when you are not sure if the request is legitimate
  3. Do not open or click on unsolicited emails, links, and attachments (they might contain malware)
  4. Change passwords to any accounts that might be affected in the data breach, and change any passwords that you are using on multiple accounts.

We sincerely apologize for any problems this data breach incident may have caused you.

Keeping your trust is of absolute importance to us and we are working tirelessly to prevent a similar incident in the future.

If you need more information, please don’t hesitate to contact our DPO via [DPO email] or [DPO phone]

Thank you for your cooperation and patience.

Yours sincerely,

[Your Name]

[Your Title]

[Company Name]

Offering Support and Assistance

The GDPR data breach notification isn’t just about informing your consumers of the incident. It should also explain what actions they need to take to protect their compromised data.

Continue to offer support and assistance to your data subjects through training, education, and other resources.

Record-Keeping and Documentation

Article 33 (5) states:

“The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects, and the remedial action taken.”

This closely relates to the 7th GDPR principle - accountabilityor:

“The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1” (Article 5).

The exact method for recording and documenting a data breach is left to the business in question, although they are encouraged to establish an internal register of breaches, regardless of whether they are required to notify or not.” (EDPB Guidelines).

The EDPB also states that the controller should record details of the breach, including:

  • Causes
  • What happened
  • Personal data affected

Additionally, you should document the actions you will take following the breach and the reasoning behind them.

Ultimately, how this documentation will look is left somewhat open and in the hands of your business. It’ll just need to demonstrate your accountability.

Assessing and Enhancing Data Breach Response

By assessing your data breach response, you can better identify weak areas where you’ll need improvement in the future.

Here are some steps you can take to enhance your data breach responses:

  1. Measure your response time from the detection to the response initiation. This will help you identify any bottlenecks
  • Audit the plan for clarity in every stage, if it was followed as intended, and identify gaps
  • Look for feedback from the affected consumers, shareholders, and relevant authorities to analyze the effectiveness of your communication
  • Assess your regulatory compliance to verify that you followed the correct processes and actions
  • Appraise your containment measures. How long did it take you to identify which systems and data were affected or to disable compromised accounts?
  • Determine the root causes of the breach. Identify weak points of your system and areas for improvement
  • Get another pair of eyes on it. Have an independent 3rd-party evaluate your response plan and measures to offer recommendations on where and how you can improve

GDPR Data Breach Notification Best Practices

When creating a GDPR data breach notification, ensure that it helps our consumers understand the nature and the potential effect of the breach on their personal or financial data.

Here are some best practices that will help you do that:

  • Evaluate the scope and impact of the breach, such as the type of data compromised and which data subjects were affected
  • Create a data breach notification template that will rely on GDPR guidelines (Articles 5, 33, and 34 mentioned here already). Feel free to reference the template above, but customize as necessary.
  • Include all the necessary information, such as the description of the incident, what types of data are affected, potential impact, actions your business will take, actions you recommend consumers take, and contact information for your DPO
  • Make sure that you cover all the GDPR legal requirements
  • Provide additional resources like FAQs or material that can help data subjects better understand the problem
  • Document the response, including the dates, who you notified, and the contents of the notification for GDPR compliance
  • Personalize the notification wherever possible. For instance, instead of “Dear user,” start with “Dear Mr. Smith.” It will significantly increase their feeling of being important
  • Choose the proper delivery method. Usually, this will be email, but you can use text messaging, even postal mail if you wish, or a combination, depending on the number of affected individuals and the urgency of the response
  • Make sure that the notification is in clear language without jargon that consumers will easily understand

Real-Life GDPR Data Breach Notification Examples

Here are some real-life examples of GDPR data breach notifications that should inspire you to create your own if you ever needed for it:

British Airways

The British Airways cyberattack occurred in 2018 and affected between 380,000 and 500,000 customers, compromising their credit card details. Here is the data breach notification.

Why is it good?

The BA notification communicates what happened and shows the company’s accountability and commitment to addressing the incident. It also offers a good recommendation of what the customers should do next.

It’s also short and very clear.

One negative is that a link to a dedicated page would be more useful here than the homepage. Contact info for the DPO would work better.

Also, a heading of some kind would further improve it.

Superdrug

Also in 2018, the second largest health and beauty retailer in the UK, Superdrug, also experienced a data breach incident and sent out this security notice to its customers.

Why is it good?

First of all, Superdrug starts with the customer’s name (“Hi Rinhongii”) and not the generic “Hi customer.” So it gets points for building loyalty.

Next, Superdrug bolded some crucial elements which help the reader more easily find the relevant information ( “but not including your payment card information”).

Finally, all other elements of a data breach notification are there.

Of course, there are some areas where it could improve.

First, it’s a bit long and could use cutting in some places and better formatting. The second paragraph, in particular.

Also, although they provided the phone and email for customer service, it would be better to use the contact information of a DPO.

FAQs

Does GDPR Require Notification of Data Breach?

Yes, GDPR requires sending a notification of a data breach up to 72 hours after you become aware of it to the supervisory authority and affected data subjects.

Learn more about the benefits of outsourcing a Data Protection Officer.

When Must a Data Breach be Reported Within?

You should report a data breach within 72 hours of first identifying it, according to Article 33 GDPR.

Learn how a DPO as a Service (DPOaaS) can help your business stay compliant.

How Soon Must a GDPR Breach be Reported?

A GDPR breach must be reported no later than 72 hours after it is identified according to Article 33 of GDPR: Notification of a personal data breach to the supervisory authority.

Learn more about the GDPR compliance requirements here.

What are the Guidelines for Personal Data Breach Notification Under GDPR?

The guidelines for personal data breach notification under GDPR are outlined in Article 34: Communication of a personal data breach to the data subject.

Learn how to create a data privacy crisis management action plan in this article.

Who Do I Notify for Data Breach?

You should notify the data protection officer (DPO) of your organization, the relevant supervisory authority of your country, and any affected data subjects.

What are the data protection officer costs? Learn about them in this article.

How Can Captain Compliance Help You?

The average global cost of a data breach in 2022 was $4.35 million, according to IBM’s Cost of a Data Breach 2022 report.

This, however, only takes into account the business disruption costs and not the loss of consumer trust or the legal fines and penalties.

By creating an effective GDPR data breach notification, you ensure compliance but also show commitment to protecting your customers’ sensitive data and empower them to do the same.

Get in touch with Captain Compliance today, and take proactive action to protect your business and customers by achieving compliance today with Captain Compliance.