Reporting data breaches: GDPR requirements
This is what’s required from a data breach notification point-of-view:
-
As the processor: you just have to inform your controller (so client in your case) “without undue delay” (so relatively quick). You only have to do this once you’ve come aware of a “personal data breach” (meaning, personal data is involved). You never directly communicate to the “data subject” (the person who’s data was lost), it’s the controller who has to do that.
-
As the controller: This one has been mentioned more often. You have to:
- Report to the data protection authority (DPA) within 72 hours of becoming aware of the data breach, unless it’s unlikely to result in a risk to the “rights and freedoms of natural persons”. (this means, do report if there’s a chance. if you don’t report it, make sure to document why extremely well). The DPA for us is the privacy commission. Leaks can be reported here: https://www.privacycommission.be/fr/la-notification-de-fuites-de-donn%C3%A9es.
- To the “data subject” (person who’s data was lost) if the breach is likely to result in a “high risk to the rights and freedoms of a natural person”, you need to report “without undue delay” and in an easy to understand language. There’s a loophole here: you don’t have to report anything if you take “subsequent measures which ensure that the risk is no longer likely to materialise”. (meaning: if you implement extra security measures, you don’t have to report to the subject). However, be aware that the DPA might force you to report a data breach.