An integral part of your EU General Data Protection Regulation (GDPR) compliance project is producing appropriate documentation, which includes a personal data breach notification procedure.
If you’re just beginning your GDPR project, it’s unlikely that you’ll be fully compliant by 25 May 2018, when the Regulation is enforced.
However, in our recent blog, GDPR priorities in the lead up to May, we suggested that your organisation should prioritise creating incident response and breach reporting procedures to prove you are making an effort to comply.
What is a personal data breach?
The UK Information Commissioner’s Office (ICO) defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
They highlight that “personal data breaches” can include:
- Access by an unauthorised third party;
- Deliberate or accidental action (or inaction) by a controller or processor;
- Sending personal data to an unintended recipient;
- Lost or stolen computing devices containing personal data;
- Unauthorised alteration of personal data; and
- Loss of availability of personal data.
Personal data breach notification procedures under the GDPR
Organisations must create a procedure that applies in the event of a personal data breach under Article 33 – “Notification of a personal data breach to the supervisory authority” – and Article 34 of the GDPR – “Communication of a personal data breach to the data subject”.
Below is an example of what a data breach notification might look like – available from the market-leading EU GDPR Documentation Toolkit – which sets out the scope of the procedure, responsibilities and the steps that will be taken by the organisation to communicate the breach from:
- Data processor to data controller;
- Data controller to supervisory authority; and
- Data controller to data subject.
The EU GDPR Documentation Toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:
- A complete set of easy-to-use and customisable documentation templates (including a personal data breach notification procedure (see the above)), which will save you time and money and ensure GDPR compliance;
- Helpful dashboards and project tools to ensure complete GDPR coverage;
- Direction and guidance from expert GDPR practitioners; and
- Two licences for the GDPR Staff Awareness E-learning Course.