Handling data breaches under the GDPR

Τhe purpose of this material is to explain the requirements deriving from the GDPR regarding personal data breaches and provide practical guidance on how to effectively respond and manage data breaches. The material covers the following aspects: what a personal data breach is and what are the types of breaches, how is a personal data breach assessed considering the level of risk, how to notify a data breach to the competent supervisory authority, how to communicate a data breach to the affected individuals and how to document a personal data breach.

At the end of the study, the reader is expected to:

• Understand the concept and the importance of timely and properly detecting and handling personal data breaches.
• Have knowledge of the obligations deriving from the GDPR regarding data breaches towards the competent supervisory authority and the affected individuals as well as internally in the SME.
• Understand the steps involved in the incident handling procedure taking into account the time framework set by the GDPR.

Key Messages

• Establish clear procedures and plans for the detection and handling of personal data breaches.
• Raise staff awareness and provide regular training on data breach detection and management procedures.
• Establish clear procedures for the reporting of data breach incidents to the persons or team responsible for investigation and handling.
• Keep an up-to-date internal register of personal data breaches recording all evidence proving compliance.

See relevant slides

1. ‘Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01’, EDPB
2. ‘Guidelines on personal data breach notification For the European Union Institutions and Bodies’, EDPS
3. Personal data breaches, ICO
4. EDPS-ENISA Conference: Towards assessing the risk in personal data breaches
5. Recommendations for a methodology of the assessment of severity of personal data breaches, ENISA
6. Personal data breach notification tool, ENISA