Previously, I wrote a blog post (see here) on data breaches and where to report them, focusing on the notion of ‘lead supervisory authority’. In this blog post, I focus on the contents of data breach notifications in relation to the GDPR. It is important to notice that notifications might be to either of two stakeholders: the supervisory authority and/or the data subjects concerned (the ‘victims’ of the data breach). Using GDPR compliance software you can aid this process and improve your ability to meet GDPR requirements.
Articles 33 and 34 GDPR distinguish between three types of cases:
A breach is unlikely to result in a risk to the rights and freedoms of natural persons (art. 33(1) GDPR). In this case, no notification is needed but the breach should be registered within your organisation for accountability purposes
A breach is likely to result in a risk to the rights and freedoms of natural persons (art. 33(1) GDPR). In this case, a notification to the supervisory authority is needed.
A breach is likely to result in a high risk to the rights and freedoms of natural persons. In this case, in addition to the notification to the supervisory authority, the data subject also needs to be notified (art. 34(1) GDPR).
In my view, though, these breaches are not really exceptions, because the first two basically take away ‘high’ from the ‘high risk for the data subject’. And the third one is still a notification, however through different means.
Please take into account that the supervisory authority might decide on the necessity of a data subject notification and thus interpret the term ‘high risk’ and the exceptions.
Notifications to the supervisory authority are made under art. 33 GDPR. According to this article, a notification has to contain the following constituents:
the nature of the breach, including, where possible:
the categories and approximate number of data subjects involved;
Please note that, even if you choose not to notify a breach, you still have to keep a register of breaches.
As to the contents of a breach notification to the data subject, the following are the requirements (art. 34 GDPR):
These mirror the requirements from art. 33(3) with the exception of the nature of the breach. This is strange, as one might expect the data subject to be informed about at least the categories of personal data that are part of the breach, so that the data subject can act upon that (e.g. change a password that was leaked).
It is also important to realise that, although articles 33 and 34 GDPR do not allow for deviations in national legislation, supervisory authorities should provide a way to notify breaches to them, and in designing the relevant (web) forms, they can take a lot of freedom regarding the questions they ask. In practice, this might result in more questions being asked than are part of the literal articles 33 and 34.