How to Notify Customers of a Data Breach Under the GDPR
Not sure whether you need to notify your customers of a data breach under the GDPR? Read on to learn about your responsibilities under the Act.
Times have changed in the privacy world.
What kind of breach do you need to notify your customers about?
Furthermore, there are several critical elements for understanding the effects of the GDPR. Firstly, it is essential to what constitutes a breach of data. A breach occurs “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Some of the types of data breaches include:
- Confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data.
- Availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
- Integrity breach – where there is an unauthorised or accidental alteration of personal data
Therefore, it is important to recognize the scope of the breach before you notify of data breaches under the GDPR.
What to do if there is a data breach under the GDPR
Article 33 sets out guidance for notification. In the case of a personal data breach, the “controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.” This test is much stricter than what currently operates in Australia. There are some exemptions where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification does not occur within 72 hours, the reasons must be provided. The European Commission has released guidelines with examples that explore this section further. Therefore, consider familiarising yourself with some of the details of the section.
What information do you have to provide?
When reporting a data breach under the GDPR, you need to provide the following information:
- Situational analysis: Provide as much context as possible, including the initial damage and how many people were affected and the type of personal data that was compromised.
- An assessment of the affected data: This should include information regarding the state of the data. It is essential to recognise precisely what damage has occurred and how the consumer has been affected.
- Preventive measures and actions: Your company should identify what measures did you have in place before the breach to prevent incidents like this from occurring. it should also include how you will improve those measures to ensure that the breach does not happen again.
Therefore, consider which elements of the breach must be reported under the section.
Josh is a Legal intern at Lawpath. He is a Commerce/Law student at Macquarie University. He has an interest in cyberlaw and blockchain technology.