Under the GDPR, a data controller is required to report any personal data breach that may pose a risk to the rights and freedoms of natural persons to the supervisory authority without undue delay. In certain cases, such incidents must also be reported to the individuals whose personal data have been affected.
This obligation applies to almost all data controllers, regardless of their size or industry. A personal data breach can take many forms – from accidental or unlawful destruction or loss of personal data to unauthorized access or disclosure.
As the regulation sets a relatively short deadline for reporting such incidents, it is crucial to have a clear reporting process in place beforehand. Organizations should also implement preventive measures (technical and organizational safeguards), along with processes for detecting, assessing, and mitigating incidents and their potential impacts.
Our service includes a legal assessment of the personal data breach, an evaluation of whether it must be reported to the supervisory authority or affected individuals, and the preparation of the relevant notification. We also review your internal procedures for breach reporting and provide recommendations on further steps.
A controller must be able to demonstrate that appropriate technical and organizational measures have been adopted to ensure the confidentiality and resilience of the personal data it processes. A properly designed data breach reporting process serves as evidence of compliance with the GDPR and of due diligence in data protection.
