Breach notification under the GDPR

The EU General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. The law applies to organizations worldwide that monitor the behavior of, or offer goods and services to EU residents.

One key requirement of the GDPR is that data breaches have to be reported to the relevant supervisory authority within 72 hours of discovery.

Current data breach notification laws in the US vary from state to state and, in the majority of cases, apply to electronic data only. The data in the scope of these rules generally includes name and numerical information, such as social security number and financial account numbers.  Organizations are required to notify the affected individuals – subject to the level of potential harm caused by the breach – and, in certain states, relevant authorities.

The main difference between the GDPR and current US data protection laws for organizations is that a GDPR data breach includes any information that can identify a natural person. In addition to names and ID numbers, a photo of someone’s face, their IP address, or work email address are considered personal data.

Another key difference is that the GDPR requires organizations to notify the supervisory authority, such as the Information Commissioner’s Office (ICO) for the UK, of any breach that presents a risk to the rights and freedoms of data subjects. This covers virtually every breach, except for cases where the data was already publicly available. Organizations also need to notify individuals whose data has been breached if it could present a high risk to their rights and freedoms. If unencrypted passwords and usernames were leaked, for example, the data subjects would need to be notified “without undue delay”, in addition to notifying the supervisory authority within 72 hours.

The GDPR stipulates that organizations needn’t work with multiple supervisory authorities for one breach, even if the breach affects residents from multiple EU member states. Guidance on this area from the Article 29 Working Party (WP29) explains that it’s best to notify the authority in the country where your EU representative is based.

Learn more about breach notification on our EU GDPR Foundation and Practitioner Combination Training course. Other topics include:

  • The six data processing principles
  • Why and how to conduct a data flow mapping exercise
  • Handling data subject access requests (DSARs)

Available in classrooms in Boston, or Live Online in EST or PST.