Once you’ve been given the bad news, the first thing you must do is assess the risk involved. How many people could this breach harm, and how badly? Are people’s rights and freedoms at risk? The definition of “people’s rights and freedoms” can be a bit unclear, so recital 85 provides some clarification on this.
If you still aren’t sure, you could take this self-assessment created by the Information Commissioner's Office to help you decide. If you have found that the risk is great enough, you must involve the supervisory authorities and notify the people at risk without delay. A high-risk situation, in particular, means that you must notify the people at risk as soon as possible. This will help allow those affected to take measures to protect themselves.
When reporting a breach, you have to follow the rules carefully. While experiencing an attack is nerve-wracking in and of itself, you must follow GDPR guidelines to the letter. GDPR requires organizations to take certain decisive steps within a short window of time. Therefore, it is important that your IT, Security and Legal teams work together within your organization and have agreed upon a process to follow when a data breach occurs. You should ideally notify authorities immediately, but you have up to 72 hours to report. If you take longer than that, you will have to provide the authorities with a valid reason why you were delayed. Controllers and processors should be in constant communication regarding their progress in reporting so that neither party exceeds the time limit in the event of a breach.
To report a breach, you have to call the Supervisory Authority within your region. At a minimum, you should provide the following when reporting a breach:
- describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
After you’ve talked to the authorities, they will help you identify the proper next steps which vary widely depending on the exact circumstances of your breach. They may take regulatory action, identify data security incident trends, or even share it with law and cybercrime agencies. Keep in mind that honesty is always the best policy – if you delay or give incomplete information, you could face hefty fines.