The GDPR Data Breach Notification Obligation

We are starting a series of publications about GDPR. Find out why it matters for everyone.

💡 This article is reprinted here from Iagon corporate blog.

According to the Identity Theft Resource Center, a US organization, as of December 6, 2021, there were only 239 data breaches away from breaking the all-time record for data compromises in a single year. However, the increasing problem with data security and the strict regulations regarding data processing in some countries lead to the question: how does the most known privacy framework deal with a data breach?

The General Data Protection Regulation, also known by its acronym, GDPR, imposes several obligations and procedures to controllers who have been victims of a data breach. One particular obligation is the data breach notification obligation, which can be summarized as the duty to make public disclosure and notify the victims when a data breach takes place. This obligation raises several questions, such as: which information should be disclosed and notified? To whom? How should this process be done? When should it take place? And more importantly, how does this help mitigate the effects of the data breach?

First, this obligation takes place whenever a data breach of personal data takes place. Article 4(12) of the GDPR defines a data breach as “The accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed” (EU, 2016). Whenever a data breach takes place triggers the data breach notification obligation, as stated in Articles 33 and 34. The first one refers to the duty to notify the data protection authority, and the following one the data subjects.

Regarding the content and time of notification for Article 33. This must include information regarding the nature of the data breach, a description of the possible consequences, and the measures taken to mitigate the effects of the breach (Waesberge & Smedt, 2016). Additionally, Article 33 states that, in the case of a data breach, this shall be notified to the supervisory authority, without undue delay, in a period not longer than 72 hours after the awareness of the breach. Concerning the obligation to the data subject, Article 34 prays that this has to be fulfilled in the case of “likely to result in a high risk to the rights and freedoms of natural persons” (EU, 2016). According to the Articles,

Please follow us on social media and feel free to drop any questions you may have about the project directly in the telegram group. Our team is always open to discussions.