Handling data breaches under the GDPR



Τhe purpose of this material is to explain the requirements deriving from the GDPR regarding personal data breaches and provide practical guidance on how to effectively respond and manage data breaches. The material covers the following aspects: what a personal data breach is and what are the types of breaches, how is a personal data breach assessed considering the level of risk, how to notify a data breach to the competent supervisory authority, how to communicate a data breach to the affected individuals and how to document a personal data breach.

At the end of the study, the reader is expected to:

  • Understand the concept and the importance of timely and properly detecting and handling personal data breaches.
  • Have knowledge of the obligations deriving from the GDPR regarding data breaches towards the competent supervisory authority and the affected individuals as well as internally in the SME.
  • Understand the steps involved in the incident handling procedure taking into account the time framework set by the GDPR.

Key Messages

  • Establish clear procedures and plans for the detection and handling of personal data breaches.
  • Raise staff awareness and provide regular training on data breach detection and management procedures.
  • Establish clear procedures for the reporting of data breach incidents to the persons or team responsible for investigation and handling.
  • Keep an up-to-date internal register of personal data breaches recording all evidence proving compliance.

See relevant slides


General References



Λογότυπο byDesign toolkit & Europe

This online toolkit was funded by the European Union’s Rights, Equality and Citizenship Programme (2014-2020).

Disclaimer: The content of this online toolkit represents the views of the authors only and is their sole responsibility. The European Commission does not accept any responsibility for use that may be made of the information it contains.