Lawpath Blog
How to Notify Customers of a Data Breach Under the GDPR

How to Notify Customers of a Data Breach Under the GDPR

Not sure whether you need to notify your customers of a data breach under the GDPR? Read on to learn about your responsibilities under the Act.

22nd October 2019
Reading Time: 3 minutes

Times have changed in the privacy world.

In the digital age, customers expect notifications about data breaches. Notification is one of the hallmarks of the GDPR. GDPR stands for General Data Protection Regulation. It’s the European Union’s new data protection laws, which came into effect on 25 May 2018. Australian businesses of any size may need to comply if they have an establishment or if they offer goods and services in the EU. This can include if they monitor the behaviour of individuals in the EU. While the GDPR does share some similarities with Australian privacy laws, the process of notification is somewhat different. Therefore, a prudent company (Controller) should look to update their privacy policy to ensure they are compliant with GDPR. 

What kind of breach do you need to notify your customers about?

Furthermore, there are several critical elements for understanding the effects of the GDPR. Firstly, it is essential to what constitutes a breach of data. A breach occurs “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Some of the types of data breaches include:

  • Confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data.
  • Availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
  • Integrity breach – where there is an unauthorised or accidental alteration of personal data

Therefore, it is important to recognize the scope of the breach before you notify of data breaches under the GDPR.

What to do if there is a data breach under the GDPR

Article 33 sets out guidance for notification. In the case of a personal data breach, the “controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.” This test is much stricter than what currently operates in Australia. There are some exemptions where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification does not occur within 72 hours, the reasons must be provided. The European Commission has released guidelines with examples that explore this section further. Therefore, consider familiarising yourself with some of the details of the section. 

What information do you have to provide?

When reporting a data breach under the GDPR, you need to provide the following information:

  • Situational analysis: Provide as much context as possible, including the initial damage and how many people were affected and the type of personal data that was compromised.
  • An assessment of the affected data: This should include information regarding the state of the data. It is essential to recognise precisely what damage has occurred and how the consumer has been affected.
  • Preventive measures and actions: Your company should identify what measures did you have in place before the breach to prevent incidents like this from occurring. it should also include how you will improve those measures to ensure that the breach does not happen again.

Therefore, consider which elements of the breach must be reported under the section.

Update your privacy policy

As a result, it is essential to recognise that parties need to investigate if their privacy policy is up to date with the GDPR. While it may seem cumbersome, these measures force businesses to reconsider how they interact with a customer’s privacy. Seek legal advice if you are unsure of your legal obligations.

Don’t know where to start? Contact us on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest lawyer marketplace.

Author
Joshua Cutrone

Josh is a Legal intern at Lawpath. He is a Commerce/Law student at Macquarie University. He has an interest in cyberlaw and blockchain technology.