What are the breach notification requirements under EU Law?
Key points:
DATA BREACH REPORTING UNDER EU DATA PROTECTION LAW: The GDPR introduces a general duty for all controllers to report certain types of personal data breach to the relevant supervisory authority (within 72 hours of becoming aware of the breach, where feasible). In addition, if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, those individuals must be notified without undue delay.
Organizations should have in place a robust breach detection, investigation and internal reporting procedures in place to facilitate decision-making about whether or not to notify and ensure mitigation steps are taken. Organizations must also keep a record of any personal data breaches, regardless of whether notification is required or not.
DATA BREACH REPORTING UNDER OTHER EU LAWS: In addition to being subject to security and data breach requirements under GDPR, organizations may be subject to requirements under other EU laws (e.g. the NIS Directive and the ePrivacy Directive) and under member state law.
What is a security incident and what is a data breach?
A data breach can be broadly defined as a security incident that affects the confidentiality, integrity or…
