In the continuing series of GDPR articles, we will look at article 33 – reporting data breaches. If you’ve missed any articles or are unfamiliar with GDPR, you can check out the first GDPR article published.

Every day around 5 million data records are breached, and it only seems to be growing as time goes on. GDPR changes are coming in at a good time and will change the process of dealing with breaches and handling them.

What kinds of breaches are required to be reported?

The article lays out – vaguely- what kind of data breaches must be reported to a ‘supervisory authority’ (the ICO) and if the data subjects whose data is breached, are required to be told.

The first step is realising if a breach is likely to result in a risk to the data subjects’ rights and freedoms. This means that if any rights set out by GDPR are at risk because of a breach – it MUST be reported. An example of this would be a hacker or a thief somehow retrieving a copy of someone’s personal data. Personal data cannot be exchanged, whether this is intentional or unintentional. So, this would have to be reported, as it poses some risk.

The next stage is determining whether it is a high risk or low risk to the individual’s rights. If it is to be regarded as a high risk, the individual must be notified and given any potential information on steps they can take to protect themselves going forward. For example, if an unencrypted laptop is stolen which contains the personal data of many clients, this can be categorised as a high risk, since the data is easily accessible and transferable.

No matter how high or low risk a breach is, all breaches must be documented and recorded.

Reporting within 72 hours

A key detail to this article is the requirement to report any breaches which do put individual’s rights at risk within a 72-hour timeframe.

This 72-hour timeframe starts from discovering the breach, although it’s possible sometimes that a breach may not be immediately realised. This detail is partly an attempt to push organisations into getting better and more modern systems in place to detect breaches, along with helping contain breaches and deal with them in a more urgent manner.

It’s likely that a large percentage of companies currently do not have effective systems in place to realise breaches and to detect and deal with them immediately.

What measures should be put in place?

Under article 32, it states that data controllers are required to put appropriate security measures in place relative to the risks faced by security breaches.

There’s a few key measures that should be in place, including and not limited to:

- Encryption
- Ability to restore and access personal data
- Regular testing of current systems in place
- Evaluations of current systems in place

Further reading

This article is not a guide on what you and your organisation can do to help by compliant to the changes being brought about by GDPR and this is only a basic explanation of these articles. For more details please refer to the following:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-breaches
https://united-kingdom.taylorwessing.com/globaldatahub/article-data-security-and-breach-reporting-under-the-gdpr-and-nisd.html