Guidelines on personal data breach notification under GDPR

Apr 24, 2023 | News, Working papers

The European Data Protection Board (EDPB) is an independent European body that contributes to the uniform application of data protection rules across the EU and promotes cooperation between EU data protection authorities. It is established by the General Data Protection Regulation (GDPR) and is based in Brussels.

 The GDPR introduced a requirement that a data breach be reported to the relevant national supervisory authority (or in the case of a cross-border breach, the lead authority) and, in certain cases, to notify the individuals whose personal data was affected by the breach

The EBDP believes that the reporting obligation has a number of advantages. When informing the supervisory authority, administrators can get advice on whether the affected persons need to be informed. The supervisory authority may order the administrator to inform these persons of the violation. Notifying individuals of a security breach allows the administrator to provide information about the risks that result from the breach and the steps that those individuals can take to protect themselves from its potential consequences. Breach notification should therefore be seen as a tool to increase data protection compliance.

Controllers and processors are therefore advised to plan and implement processes in advance to be able to detect and quickly prevent a breach and assess the risk to individuals and then determine whether it is necessary to inform the relevant supervisory authority and, if necessary, notify the affected persons of the breach. Notification to the supervisory authority should be part of this incident response plan.

The GDPR requires that both controllers and processors have appropriate technical and organizational measures in place to ensure a level of security commensurate with the risk posed by the processed personal data. As a result, a key element of any data security policy is the ability to prevent breaches where possible and respond in a timely manner where they do occur. The current EBDP material lays down detailed rules as a guide to  solving such a situation.

More information here