Reporting data protection breaches under GDPR?

Data Breach

Data breach definition

Data breach is when intentionally or unintentionally, secure or confidential information is copied, transmitted, viewed, damaged, stolen or used by an individual unauthorized to do.

This data breaches occur when there is an attack by black hats associated with organized crime or political activist.

There can be various causes for why a malicious user want that information, but the most common is to sell it. Yes private information, like for example, credit card numbers, have a lot of value to the black markets.

Sometimes the data breach can occur by negligence from someone in the entities, or, the entity itself.

This french network exposed their passwords while giving an interview.

Here is a list you can check about the biggest data leaks.

Where should I report a data breach?

In general, you must report the data breach to all the affected customers, and to a responsible entity that may differ by country.

All the European countries must have a responsible authority to cover these incidents.

Here are some examples of responsible authorities by country:

To consult the full list go here

When should a data breach be reported?

The report must be done within 24 hours to the responsible authority and within 72 hours to the affected customers without unnecessary delay.

If you can show the data leaked was encrypted and represent no risk to the data you don’t have to report to your customers, only if the responsible authority requires you to do so and it’s considered to affect them.

If you don’t notify the breach you can get fined in up to 20 Million Euros or 4% of the annual revenues, whichever is higher.

data breach Notification to authorities

How to report about a data breach?

To report this kind of incidents to the responsible authorities you must prepare a detailed document about the incident, your company and every detail you feel that is relevant to fix it as quick as possible.

Like this:

  • Your name and contact details;
  • The date and time of the breach (or an estimate);
  • The date and time you detected it;
  • Basic information about the type of breach;
  • Basic information about the personal data concerned.

To notify your users’ you must have some more care.

If you do it improperly, with too many technic details that users don’t understand or if you sound worried in the notification you may be causing the panic unnecessarily.

To better inform the affected customers you must write a message where:

  • Think carefully about voice and tone, talk clearly and be frank to the users without alarming them.
  • Tell your customers as much as you can about the data breach incident, advise and tell them how they must proceed to be secure again, be transparent.
  • Consider your audience, different audiences may react differently, take that into consideration.
  • Make it readable,  again, write it clearly and understandable to everyone.

Summing up

Data breaches are a reality and they can occur to anyone.

If you enforce your data protection measures, you are contributing to mitigate the possible damage caused by a data breach.

Every system is fallible, there are no perfect systems, but there is the one that does the most they can to be protected and that way prevent the worst.


Was this post helpful?