GDPR Q&A: Data breaches

Over the past year, we’ve been running a dedicated EU General Data Protection Regulation (GDPR) webinar series in preparation for the Regulation’s compliance deadline. Each webinar covers a specific concern related to the Regulation, and ends with our presenter answering your questions.

This month, we’ve been collecting some of those questions and answers and posting them here. The third blog in our series focuses on data breaches. We’ve previously discussed consent and compliance and certification.

Q: Who do you report a breach to?

A: A breach that threatens individuals’ rights and freedoms must be reported to your supervisory authority. When that threat is substantial, you also need to notify your data subjects.

Data processors that experience a breach need to notify their controller without undue delay. The controller must then notify the supervisory authority and data subjects as necessary.

Q: Is it still considered a breach even if no data is taken (such as with ransomware)?

A: Yes. A data breach includes both the theft of data and any breach that leads to the unauthorised destruction, loss, alteration, disclosure of or access to personal data.

Q: Does a breach of test data (randomised proper data) need to be reported?

A: If the test data includes information that would allow a natural person to be identified, then it’s within the scope of the GDPR. The same applies to breaches of the security surrounding that data, or to test data that was used without the data subject’s permission.

Q: Are there any guidelines regarding how, or by which medium, I should notify data subjects of a breach?

A: The GDPR does not prescribe the way in which you must produce breach notifications. It’s up to each organisation to develop its own internal policies governing how communications should be issued to data subjects in response to security breaches.

However, when notifying data subjects of a breach, it’s imperative to include the following information in clear and plain language:

  • The nature of the breach.
  • The name and contact details of the relevant data protection officer (DPO).
  • The likely consequences of the breach.
  • The measures that have been taken or proposed to address the breach.

In situations where more than one person’s personal data has been breached, a public notice may be an appropriate means of notification.

Q: Are organisations really expected to report every single breach, regardless of how minor it is?

A: Data breaches only need to be reported to the supervisory authority when they are likely to pose a risk to the rights and freedoms of natural living persons.

Q: How can the 72-hour window to report a breach be enforced?

A: Failure to submit a notification of a breach that poses a high risk to the rights and freedoms of EU residents will result in fines of up to €20 million (about £17.8 million) or 4% of annual global turnover – whichever is greater.

Article 83 of the Regulation states that the manner in which the supervisory authority becomes aware of the breach will factor into the fine imposed. In other words, any organisation that doesn’t notify its supervisory authority of a data breach is likely to attract higher fines.

In itself, this doesn’t answer the question of how authorities will make sure a breach is reported within 72 hours of its discovery. However, it’s reasonable to think that the huge financial penalties will surely impel organisations to comply with the requirements.

Q: When it comes to reporting incidents under the GDPR, do you know if there will be a set of criteria to score incidents and decide what should be reported and what can be dealt with locally?

A: Any breach that could result in a risk to the rights and freedoms of natural persons will certainly have to be reported to the authorities and assessed on a case-by-case basis.

The Information Commissioner’s Office (ICO) provides the following example: a supervisory authority would need to be notified about a loss of customer details where the breach leaves individuals open to identity theft. However, the loss or inappropriate alteration of a staff telephone list would not normally meet the threshold to trigger the notification requirement.

Watch our webinars to find out more

For more information on data breaches under the GDPR, you should take a look at our webinar series. Some of the most appropriate webinars to get started with are:


  1. Chris Mitchell 1st August 2017
    • Luke Irwin 1st August 2017