Reporting a Breach Under the GDPR

Danny Murphy by   05.23.2018   Compliance

Even though GDPR is almost upon us, there still seems to be a bit of confusion as to the rules of breach notifications. How long do I have to report a breach? Who do I report a breach to? Do all data breaches need to be reported?

It’s natural to have questions, and it’s natural not to want to read that outrageously long book of chapters and articles to find the answer. So, let’s see if we can answer some of the main questions around data breach reporting here.

What Kind of Breaches Should be Reported?

In short – not all data breaches need to be reported externally under the guidelines of the EU regulators. Essentially, although the GDRP is quite vague on the issue, data breaches only need to be reported externally if they contain the personal information of EU citizens and the breach could lead to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

The term ‘personal data’ refers to personally identifiable information (PII). This information could include names, addresses, phone numbers, sexual orientation, IP number and much more.

Obviously, it’s never that simple, and the GDPR does use some very vague terminology when describing the exact scenario in which you should report a breach to your local supervising authority. One phrase that crops up a lot is that a breach should be reported if it creates a risk to the “rights and freedoms” of EU citizens. So, what does this mean?

Right and freedoms is a direct reference to the property and privacy rights that are listed in the EU Charter of Fundamental Rights. A quick glance at this charter will tell you that it’s essentially common sense of when to report a data breach (if their personal data is exposed or accessed unlawfully, for example).

How Long Do I Have to Report a Breach?

One of the potentially most worrying things about the GDPR is that it states you have a 72-hour time limit to report a breach to your supervisory authority. This really isn’t very long, especially if you’re trying to determine who the breach has affected using native auditing methods. Thankfully, this isn’t as cut and dry as you might think.

You don’t have to report a breach 72 hour from the time the breach started. In reality, you have 72 hours from the moment you became aware that there was a reportable breach. So, you have time to establish that there was a breach and that the breach involved personal data. Once you have identified this, then the time limit comes into play.

That 3-day limit may still seem a bit daunting considering all of the information you have to provide in the event of a breach.

What Do I Have to Tell Supervisory Authorities?

So, you’ve determined there was a breach and that personal data of EU citizens was involved. What next? You’re going to have to notify your supervisory authorities and include basic information that is laid out in article 33 (although additional information can be requested). In summary, you should do the following:

  • Explain what the nature of the breach is, who was involved, what type of data was involved and the amount of data we’re dealing with.
  • Provide the contact details of the data protection officer in your organization
  • Explain what you think the consequences of the data breach will be
  • Explain what you’re going to do to address the breach and mitigate the risks of it happening again

The first step to ensuring that you’re prepared in the event of a data breach is to have a reporting solution in place that will help you answer the key questions and provide auditors with the information they need. Solutions like LepideAuditor enable you to determine whether any unauthorized changes take place in your critical systems and to your sensitive data. LepideAuditor provides you with an audit trail that can help you determine whether a breach has taken place, the causes of that breach and which data was affected. This will help you please that pesky GDPR auditor and supervisory authority should the worst happen.

Click here to know how LepideAuditor helps you with GDPR.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.