The supervisory authority for the General Data Protection Regulations (GDPR) in Ireland has released a set of guidelines on issuing GDPR breach notifications.
The Irish Data Protection Commission (DPC) has stated that the guidelines aim to help data controllers understand GDPR’s stringent requirements for sending notifications to the data protection authority and subjects whose personal data has been compromised or exposed.
The DPC is responsible for ensuring organizations operating in Ireland uphold the data protection rights of EU citizens. The guidance was written explicitly for businesses operating in Ireland or otherwise collecting or processing the data of Irish data subjects. However, the guidance is more widely applicable to companies that collect or use the personal data of EU residents. The Polish data protection authority similarly issued guidance for GDPR breach notifications earlier this month.
The guidance outlines the steps which organizations must follow to adhere to GDPR’s notification guidelines correctly. The organization must report the breach to DPC within 72 hours of the breach being discovered. However, organizations are not required to report a breach if, after completing a risk analysis, they determine that the incident is unlikely to result in a risk to data subjects.
Data controllers, or organizations that oversee the collection of data, should assume that all data breaches are reportable unless it can be shown that they do not present a risk to data subjects.
GDPR requires organizations to send notifications to data subjects identified as being affected by the breach if there is a high risk of personal information being misused.
Organizations must maintain a log of all data breaches, regardless of whether or not the organization has decided to report a breach, together with details on the cause of the breach, the actions are taken, and how the decision was made not to report. This log is essential, as, in the event of an audit, the organization must be able to produce it to demonstrate compliance.
The guidance clarifies what is a personal data breach under GDPR, using the definition of “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”
The guidance covers the circumstances under which the data protection authority must be notified when notifications must be issued to data subjects, what content must be included, how notifications can be communicated, and the time frames for issuing those notifications.
The guidance can be downloaded from DPC on this link.
