Data breach – the obligation to inform the authorities

If the General Data Protection Regulation (“GDPR”) is applicable to you, as of 25 May 2018 you will be obliged to inform the relevant authorities within 72 hours as of becoming aware of a data breach that you committed or your data processors on your behalf, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

These notification must include:

  • description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Contact us if you would like us to consult us, perform an audit with respect this new obligation, or see if the GDPR applies to your business. We will be glad to be of help.


Leave a Reply