The 10 Step GDPR Compliance Checklist
Step 1: Designate a Data Protection Officer (if required) This step may not be required for every business, but we…
How to handle a data breach under the GDPR
Compliance sucks.
We make it simple.
Create a GDPR-ready Privacy Policy, Terms & Cookie Banner in under 5 minutes.
The GDPR requires you to inform the data protection authority in your country of any data breach likely to pose a risk to the data subjects involved. We’ll show you exactly how to respond to a data breach under the GDPR!
Follow our 10 step checklist for GDPR compliance
GDPR Compliance ChecklistWhat counts as a data breach?
Any time personal information is accessed or disclosed without authorization, destroyed accidentally or unlawfully, altered, or stolen, it’s referred to as a data breach.
The causes of data breaches can be lumped into 3 categories:
- Loss or theft: e.g., employee laptop lost or stolen
- Internal threats: e.g., an employee leaking information after being fired
- External threats: e.g., hackers gaining unauthorized access to your website’s contact form submissions
What does the GDPR require you to do in the case of a data breach?
If you believe a data breach has occurred and that it’s likely to pose a risk to the data subjects involved, the GDPR requires you to notify the relevant data protection authority in your country within 72 hours. If you’ve assessed the breach and don’t see any risk to your data subjects’ rights, you don’t need to make a report.
Whether you make a report or not, the GDPR requires you to document every personal data breach, comprising the facts relating to the personal data breach, its effects, and the remedial action taken. This documentation may save you in the case of a serious breach, as the supervisory authority will use it to verify compliance.
What do you need to provide in case of a serious breach?
In the case that you’ve detected a data breach that is likely to pose a risk to the data subjects involved, you’re going to need to provide the following information to your data protection authority:
- A description of the nature of the personal data breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- The name and contact details of the data protection officer or other contact point where more information can be obtained;
The likely consequences of the personal data breach; - The measures taken or proposed to be taken by your company to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
When to communicate a data breach with the impacted data subjects
The GDPR requires you to notify the victims of a personal data breach when it is likely to result in a high risk to their rights and freedoms. The notification must be given immediately unless there is a legitimate, unavoidable obstacle. You do not need to notify impacted data subjects if you’ve assessed the breach and don’t see any risk to your data subjects’ rights.
Related Articles
A guide to designating a Data Protection Officer (DPO)
Learn what a DPO is, whether you need one, and how to choose the right person for the job.
Will the ePrivacy Directive update put an end to cookie banners?
What's all this about the European Commission revisiting the ePrivacy Directive?
