Updated 08/10/2018: This post has been updated now that we have passed the 25th May deadline.
An integral part of your EU General Data Protection Regulation (GDPR) compliance project is producing appropriate documentation, which includes planning the steps for your data breach procedure.
If you’re just beginning your GDPR project, we suggest that your organisation should prioritise creating incident response and breach reporting procedures to prove you are making an effort to comply.
What is a personal data breach?
The UK Information Commissioner’s Office (ICO) defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
They highlight that “personal data breaches” can include:
- Access by an unauthorised third party;
- Deliberate or accidental action (or inaction) by a controller or processor;
- Sending personal data to an unintended recipient;
- Lost or stolen computing devices containing personal data;
- Unauthorised alteration of personal data; and
- Loss of availability of personal data.
Personal data breach notification procedures under the GDPR
Organisations must create a procedure that applies in the event of a personal data breach under Article 33 – “Notification of a personal data breach to the supervisory authority” – and Article 34 of the GDPR – “Communication of a personal data breach to the data subject”.
Help with creating a data breach notification template
Below is an example of what a data breach notification might look like – available from the market-leading EU GDPR Documentation Toolkit – which sets out the scope of the procedure, responsibilities and the steps that will be taken by the organisation to communicate the breach from:
- Data processor to data controller;
- Data controller to supervisory authority; and
- Data controller to data subject.
The EU GDPR Documentation Toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:
- A complete set of easy-to-use and customisable documentation templates (including a personal data breach notification procedure (see the above)), which will save you time and money and ensure GDPR compliance;
- Helpful dashboards and project tools to ensure complete GDPR coverage;
- Direction and guidance from expert GDPR practitioners; and
- Two licences for the GDPR Staff Awareness E-learning Course.