The moment you discover a personal data breach, the clock starts ticking. Under the GDPR, data controllers have a mere 72 hours to notify the relevant supervisory authority. This tight deadline means you need a clear, well-rehearsed incident response plan long before a breach ever occurs.
What is a “Personal Data Breach”?
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. It’s not just about losing data; it can be as simple as an email sent to the wrong person, a stolen laptop, or a ransomware attack.
The 72-Hour Clock
The 72-hour window begins “after having become aware” of the breach. Awareness is key. This doesn’t mean when you know every detail; it means when it becomes probable that a breach occurred.
High-Risk vs. Low-Risk
Not every breach must be reported to the supervisory authority. You are only required to report if the breach is “likely to result in a risk to the rights and freedoms of natural persons.” For example, a breach of a simple, non-sensitive email list might be low risk. However, a breach exposing financial, medical, or other sensitive data is almost always high risk and requires reporting.
What to Include in Your Notification
Your notification to the supervisory authority must include:
– The nature of the breach (e.g., categories of data affected).
– The likely consequences.
– The measures taken or proposed to address the breach.
– Contact details for more information.
Don’t Forget the Data Subject
If a breach is considered “high risk” to individuals, you also have an obligation to notify the affected data subjects themselves “without undue delay.” This notification must be clear and advise them on steps they can take to mitigate the risk.
The Bottom Line: Be Prepared
The 72-hour timeline is designed to be challenging. Your ability to act swiftly and decisively will depend entirely on your preparedness. This includes having a dedicated incident response team, clear internal communication protocols, and a pre-defined plan for communicating with both regulators and affected individuals.