Data breach: how to report it under the GDPR?

Data breach definition

A data breach is when intentionally or unintentionally, secure or confidential information is copied, transmitted, viewed, damaged, stolen or used by one or more people unauthorized to do so.

Data breaches occur when there is an attack by black hats associated with organized crime or political activism.

Plus, there can be various causes of why a malicious user might want that information, but the most common one is to sell it. Yes private information, for example, credit card numbers, has a lot of value in black markets.

Sometimes the data breach can occur by negligence from the entity storing the data.

This french network exposed their passwords while giving an interview.

Here is a list you can check about the biggest data leaks.

Where should I report a data breach?

In general, you must report the data breach to all the affected customers, and to a responsible entity of your country.

All European countries must have a responsible authority to cover these incidents.

Here are some examples of responsible authorities by country:

• Portugal – Comissão Nacional de Proteção de Dados
• Spain – Agencia Española de Protección de Datos
• United Kingdom – Information Commissioner Office
• France – Commission Nationale de l’informatique et des libertés
• Belgium – Autorité de protection des données

To consult the full list go here.

When should you report a data breach?

The report must be done within 24 hours to the responsible authority and within 72 hours to the affected customers.

If you can confirm the data leaked was encrypted you don’t have to report it to your customers, only if the responsible authority requires you to do so.

If you don’t notify the authorities about the breach, you can get a fine of up to 20 Million Euros or have to pay the equivalent of 4% of your annual revenues, whichever is higher.

How to report a data breach?

To report this kind of incident to the responsible authorities you must prepare a detailed document about the incident, your company and every detail you feel that is relevant to fix it as quickly as possible:

• Your name and contact details;
• The date and time of the breach (or an estimate);
• The date and time you detected it;
• Basic information about the type of breach;
• Basic information about the personal data concerned.

To notify your users you must have some more care.

If you do it improperly, with too many technic details that users don’t understand or if you sound worried in the notification, you may be causing the unnecessary panic.

To better inform the affected customers you must write a message where you:

• Think carefully about voice and tone, talk clearly and be frank without alarming users.
• Tell your customers as much as you can about the data breach incident, advise and tell them how they must proceed. Be transparent.
• Consider your audience. Different audiences may react differently, take that into consideration.
• Make it clear. Write it clearly and understandable to everyone.

Summing up

Data breaches are a reality and they can occur to anyone.

If you enforce your data protection measures, you are contributing to decrease the possible damage caused by a data breach.

Every system is faulty. What’s important is that companies to do the most they can to protect costumer’s data and to prevent the worst.