GDPR FAQ – Breaches
How do you report a personal data breach?
A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Data processors must notify the data controller without undue delay after becoming aware of a personal data breach.
Data controllers must notify the supervisory authority (the ICO (Information Commissioner’s Office) in the UK) without undue delay when they become aware of personal data breaches that are likely to result in a risk to data subjects’ rights and freedoms.
Where feasible, this must be done within 72 hours. Failure to do so could leave you facing administrative fines of up to €10 million or 2% of annual global turnover – whichever is greater.
Data controllers must also notify data subjects without undue delay if there is a high risk to their rights and freedoms. Note that, if the breached data is anonymised or encrypted to the extent that it is no longer possible to identify data subjects, there is no risk, and no notification is required.
According to Article 33, data controllers must provide the following information to the supervisory authority:
- A description of the nature of the personal data breach including, where possible, the categories and approximate number of individuals concerned, and the categories and approximate number of personal data records concerned;
- The name and contact details of your DPO or other contact point from whom more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures you have taken, or propose to take, to deal with the breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
If you don’t have all the information to hand within 72 hours, don’t worry: the GDPR allows you to provide the information in phases, although you must provide an explanation for the delay.
You can notify the ICO either by calling its helpline or by completing an online reporting form.
Find out more about data breach reporting >>
What are the penalties for not complying with the GDPR?
There are two tiers of administrative fines for infringement of the Regulation:
- The higher of €10 million or 2% of annual global turnover for infringements of articles:
- 8 (conditions for children’s consent);
- 11 (processing that doesn’t require identification);
- 25-39 (general obligations of processors and controllers);
- 42 (certification); and
- 43 (certification bodies).
- The higher of €20 million or 4% of annual global turnover for infringement of articles:
- 5 (data processing principles);
- 6 (lawful bases for processing);
- 7 (conditions for consent);
- 9 (processing of special categories of data);
- 12–22 (data subjects’ rights); and
- 44–49 (data transfers to third countries).
As well as the power to issue fines, the supervisory authority (the ICO (Information Commissioner’s Office) in the UK) has the power to “impose a temporary or definitive limitation including a ban on processing” (Article 58(2)(f)) – in other words, it can stop organisations processing personal data altogether, effectively shutting them down.
In addition, data subjects have the right to lodge a complaint with the supervisory authority if they consider that the processing of their personal data infringes the Regulation, and the right to an effective judicial remedy against data controllers and processors if they consider their rights have been infringed by processing that does not comply with the Regulation.
The Regulation is clear that data subjects should receive “full and effective compensation for the damage they have suffered” – whether material or non-material.
Find out more about GDPR penalties >>
What happens if I have missed the GDPR enforcement deadline?
The GDPR came into effect on 25 May 2018. However, it is wrong to view this as a ‘deadline’ as such, for the simple reason that compliance is an ongoing process, not a one-off event. Even if you were one of the few organisations that were fully compliant on 25 May, you could easily fall out of compliance in the coming months and years unless you regularly review your data processing activities.
All organisations with compliance obligations should continue to strive to meet them. If you know you are not in compliance, you should prioritise those areas where a lack of action leaves you exposed. Where an infringement does occur, demonstrating that you have made a start should help reduce potential penalties.
Find out more about GDPR compliance >>