Data Breach Notification

Data breach notification is the duty to tell the right parties when personal data has been compromised. Under the GDPR it has two parts: the supervisory authority must be informed within 72 hours of the organization becoming aware of the breach, and the affected individuals must be told without undue delay where the risk to them is high. Many other regimes impose comparable, sometimes stricter, deadlines.

The report to the regulator has to describe the nature of the breach, the categories and approximate number of people and records involved, the likely consequences, and the measures taken or proposed. The communication to individuals covers the likely consequences and what they and the organization are doing about it.

The detail that catches organizations out is when the clock starts: at awareness, not at full understanding. A public acknowledgement or a press inquiry can begin the countdown before the investigation is complete. For customer identity, where the breached asset is often the identity store itself, this makes a tested response plan and clean, exportable audit logs a compliance requirement rather than a nicety.

Sources

• GDPR Article 33, Notification of a personal data breach to the supervisory authority: https://gdpr-info.eu/art-33-gdpr/
• GDPR Article 34, Communication of a personal data breach to the data subject: https://gdpr-info.eu/art-34-gdpr/