A personal data breach occurs when an internal or external party breaches your organization's security protocol and accesses personal data belonging to data subjects. The breach may be accidental or unlawful.
What does a data breach look like? It might be:
- Unauthorized third-party access to user information
- Actions or inactions (deliberate or not) by the processor or controller
- Changes to personal data without data subject permission
- Personal data sent to the wrong data subject
- Lost computing devices (computers, servers, hard drives, phones, etc.)
The definition of personal data breaches is broad so that it can encompass all kinds of security incidents that impact personal data. If data is lost, disclosed, changed, or destroyed, then there was a breach.
Why does this matter? The GDPR requires you to notify data subjects of personal data breaches in certain scenarios.
To do this, you'll use a Data Breach Notice Letter filled in with the relevant details of the security incident like what happened, what you did to stop it, and how data subjects can protect themselves post-breach if their data has been compromised.
- 1. What is a GDPR Data Breach Notice Letter?
- 2. When Do You Need a GDPR Data Breach Notice Letter
- 2.1. When Do You Need to Report a Data Breach?
- 2.2. What are the Exceptions to Data Subject Communication?
- 3. What to Include in the Data Breach Notice Letter
- 4. Safeguarding Against Data Breaches
- 4.1. What to Do to Prepare for a Breach
- 4.2. How to Respond to a Personal Data Breach
- 5. Summary
What is a GDPR Data Breach Notice Letter?
A Data Breach Notice Letter informs data subjects of a security breach that has the potential to impact their personal information and privacy.
The letter features a standard form because it must satisfy all the GDPR requirements as laid out in Article 34 of the legislation, Communication of a personal data breach to the data subject.
Fortunately, the GDPR recognizes that not all data processors operate the same way. Rather than requiring you to publish a letter that doesn't represent your data practices or the vastly different types of data breaches, the GDPR keeps its advice short and as follows:
When a data breach is likely to result in a high risk to rights and freedoms of individuals whose personal data is involved in the breach, you'll need to communicate to the data subject, in clear and plain language and without undue delay the following:
- The name and contact details of the DPO or other point of contact who will have more information about the breach,
- A description of what the likely consequences of the breach may be, and
- A description of any measures taken or that may be taken to address the breach and mitigate any adverse effects of it
This is the minimum amount of information that must be included in your communication according to Article 34(2). You can and should include additional relevant details if they're available.
When Do You Need a GDPR Data Breach Notice Letter
The GDPR concerns itself with data security and transparency. It does not explicitly state that you need either a data breach policy or a Data Breach Notice Letter.
However, it does make it clear that these two tools make a huge difference in both security and transparency, which are the two main aims of the legislation.
When do you need one of these letters for your website or business? You benefit from a Data Breach Notice Letter if you fall under the scope of the GDPR.
In other words, if you process data from European citizens, then their data is included in the potential risk for a breach. As a result, you must comply with the GDPR to avoid significant fines and legal action, which means notifying data subjects of breaches. Having a Data Breach Notice Letter is an easy and compliant way to do this.
When Do You Need to Report a Data Breach?
Different reporting rules apply to supervisory organizations, controllers, and data subjects.
You need to use your Data Breach Notice Letter to report a breach to subjects when the personal data breach is likely to result in a high risk to the rights and freedoms of the data subjects whose data is breached.
You don't need to send a database-wide email when an authorized party tries to breach your personal data. However, you do need to let them know when a breach does occur.
Data subjects must receive reports of a breach within 72 hours of an occurrence unless you have good reason (such as law enforcement investigation). Even if you don't have all the information, GDPR minimum requirements allow you to send an incomplete notification to data subjects. However, you must update it later with the relevant details as they become available.
What are the Exceptions to Data Subject Communication?
The EU identifies only three exceptions to the data breach communication rule.
You do not need to communicate the breach to the data subjects when:
- The data was encrypted (or similar security measure used)
- The controller's action minimized risk
- The effort in communicating to data subjects is disproportionate to the breach
If you don't fall under one of these exceptions, then the 72-hour communication rule continues to apply.
What to Include in the Data Breach Notice Letter
The GDPR asks that you describe "in clear and plain language" the nature of the breach in your Data Breach Notice Letter.
You're required to include at least some of the information from GDPR Article 33(3) in your letter:
When you can't provide the information all at once, either because you don't have it or the situation continues to evolve, then you may provide the information in phases. However, you cannot delay the release of the information.
The GDPR list is the minimum amount of information to provide in your letter. In addition to the basic requirements above, consider also adding:
- Date of the notice
- Date of the breach or approximate date/date range
- Categories of information impacted
- Whether a law enforcement investigation delayed the notice
- Description of actions taken by the processor to contain the issue
- Advice for affected individuals (credit monitoring, password changes, etc.)
- Government or law enforcement contact
- Consumer reporting contact information
Here's an example of an introduction:
" [Company Name] values your privacy and deeply regrets that this incident occurred. [Company Name] is conducting a thorough review of the potentially affected [place of breach]...[Company Name] has implemented additional security measures designed to prevent a recurrence of such an attack..."
You can also add the signature of a senior executive of the organization. It is not required, but it signals the seriousness of the incident so that customers take it seriously and take suggestions for mitigating potential effects equally seriously.
Offering as many details as possible/available is often the best course of action, particularly when the data subject's liberty is at serious risk.
Saying "We had a data breach" isn't enough for the GDPR. You'll need to share when, what, where, and what you're doing about it, too.
Safeguarding Against Data Breaches
The GDPR requires you to report data breaches because it acknowledges that they are inevitable in some cases. However, the GDPR also wants data processors to do their best to protect data from breaches and stop incidents from escalating.
Failure to prepare for a data breach could lead to a fine of up to 20 million Euro or four percent of your global turnover. The fines may be twice as much as the failure to notify data subjects of a breach.
In other words, the EU takes preventative security and planning seriously.
You can break down preparation into two phases: preparing and responding to personal data breaches.
What to Do to Prepare for a Breach
Preparing for a security breach features two phases: recognizing a data breach and preparing a response plan.
Your organization needs to recognize a personal data breach when it happens and understand that it extends beyond the theft of personal data.
You also need a comprehensive data breach response plan for addressing breaches. The plan should include a person or persons responsible for managing a breach as well as a chain of command for escalation.
How to Respond to a Personal Data Breach
Your response should match your preparation. Are you ready to respond when you recognize a data breach?
Your organization should:
- Assess the risk associated with a breach
- Know who to approach (supervisory, controller, and data subjects)
- Understand the process for notification even without all details
- Inform affected individuals ASAP (or without undue delay)
- Provide all relevant information to individuals to protect them
- Document every breach even when breach doesn't warrant reporting
If you process data from European data subjects, then you must comply with the GDPR. The GDPR offers specific rules regarding communicating data breaches. Organizations must communicate them to regulating authorities, data controllers, and data subjects.
Data breaches take place in a wide variety of formats including both unlawful and accidental acts. Part of your job is learning to recognize a data breach so that you can implement a data breach plan to mitigate the damage done to data subject's liberty.
A GDPR Data Breach Notice Letter makes it easy to report a breach to data subjects without undue delay - or ASAP. All you need to do is fill in the relevant details and send it out to data subjects.