Home

What should a data breach notification contain?

Previously, I wrote a blog post (see here) on data breaches and where to report them, focusing on the notion of ‘lead supervisory authority’. In this blog post, I focus on the contents of data breach notifications in relation to the GDPR. It is important to notice that notifications might be to either of two stakeholders: the supervisory authority and/or the data subjects concerned (the ‘victims’ of the data breach). Using GDPR compliance software you can aid this process and improve your ability to meet GDPR requirements.

Notifying Stakeholders in the Event of a Data Breach

Articles 33 and 34 GDPR distinguish between three types of cases:

  • A breach is unlikely to result in a risk to the rights and freedoms of natural persons (art. 33(1) GDPR). In this case, no notification is needed but the breach should be registered within your organisation for accountability purposes

  • A breach is likely to result in a risk to the rights and freedoms of natural persons (art. 33(1) GDPR). In this case, a notification to the supervisory authority is needed.

  • A breach is likely to result in a high risk to the rights and freedoms of natural persons. In this case, in addition to the notification to the supervisory authority, the data subject also needs to be notified (art. 34(1) GDPR).

The third case is said to be subject to three exceptions (art. 34(3) GDPR):

  • The personal data have been rendered in such a manner that they are unintelligible, e.g. because of encryption (and the decryption key is still kept safe);

  • The high risk is unlikely to materialise because of subsequent measures;

  • The notification would require disproportionate effort.

In my view, though, these breaches are not really exceptions, because the first two basically take away ‘high’ from the ‘high risk for the data subject’. And the third one is still a notification, however through different means.

Please take into account that the supervisory authority might decide on the necessity of a data subject notification and thus interpret the term ‘high risk’ and the exceptions.

gdpr guide

Contents of a notification to the supervisory authority

Notifications to the supervisory authority are made under art. 33 GDPR. According to this article, a notification has to contain the following constituents:

  • the nature of the breach, including, where possible:

    • the categories and approximate number of data subjects involved;

    • the categories of personal data and the number of personal data records concerned;

  • the name and contact details of the data protection officer or other contact person;

  • a description of the likely consequences of the breach for the data subject;

  • measures taken to address the consequences of the data breach, including mitigating measures to counter adverse effects for the data subject;

  • if the notification is not made within 72 hours after the controller became aware of the breach, the reasons for the delay should be provided.

Please note that, even if you choose not to notify a breach, you still have to keep a register of breaches.

Contents of a notification to the data subject

As to the contents of a breach notification to the data subject, the following are the requirements (art. 34 GDPR):

  • the name and contact details of the data protection officer or other contact person;

  • a description of the likely consequences of the breach for the data subject;

  • measures taken to address the consequences of the data breach, including mitigating measures to counter adverse effects for the data subject;

  • if the notification is not made within 72 hours after the controller became aware of the breach, the reasons for the delay should be provided.

These mirror the requirements from art. 33(3) with the exception of the nature of the breach. This is strange, as one might expect the data subject to be informed about at least the categories of personal data that are part of the breach, so that the data subject can act upon that (e.g. change a password that was leaked).

It is also important to realise that, although articles 33 and 34 GDPR do not allow for deviations in national legislation, supervisory authorities should provide a way to notify breaches to them, and in designing the relevant (web) forms, they can take a lot of freedom regarding the questions they ask. In practice, this might result in more questions being asked than are part of the literal articles 33 and 34.

Laurens Mommers
COO PrivacyPerfect

PrivacyPerfect is a GDPR compliance software provider working across multiple industries.