GDPR: personal data breaches and breach notification

One of the requirements of the GDPR is that personal data is processed in a manner that ensures the appropriate security of that personal data, including

  • Protection against unauthorised or unlawful processing
  • Protection against accidental loss, destruction or damage

Accordingly, the GDPR requires organisations to have in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed to the personal data being processed.

Organisations will need to show that, where possible, they have got appropriate technical and organisational measures in place to prevent a breach but when breaches occur, that there are measures in place to react to in a timely manner.

A data breach can potentially have a range of significant adverse effects on an individual, which can result in physical, material or non-material damage.

Because of this, data breaches, and in particular how those data breaches are handled, form a significant part of the GDPR.


Notification of breach

Although the GDPR introduces the obligation to notify a breach, it isn’t a requirement to do so in all cases.

Notification to the ICO is triggered where a breach is likely to result in a risk to the rights and freedoms of individuals.

Communication of a breach to the individual is triggered where the breach is likely to result in a high risk to the rights and freedoms of that individual.


Documenting breaches

Regardless of whether or not a breach needs to be notified, organisations must keep documentation of all breaches.

This is linked to the accountability principle of the GDPR.

Whilst it is up to the controller to determine what method and structure to use when documenting a breach, there are certain key information that should be included in all cases. This will include the causes of the breach, what took place, the personal data affected, the effect and consequences of the breach, together with the remedial action taken.