GDPR : Data Breach Response and Notification Procedure With Template
Definition
A crucial part of any organization's GDPR policy relates to how it will respond to a breach of its data, and how it will notify the affected customers.
The goal of the procedure is to outline the required steps once a data breach is suspected of occurring.
A data breach is any incident that causes accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to personal data.
Purpose
This document aims to explain the required response of an IT department in case of a data breach that affects personal data.
Scope
The template collates the required steps for responding to a data breach and notifying the proper authorities. A data breach requiring notification includes any incident that causes accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
Personal data: Any data that can identify an individual (full name, passport number, ID number, physical or electronic address, etc.).
The goal of the procedure is to ensure that the breach has been contained and that the people affected by it have been notified, as are the proper authorities.
Notification requirements :
- Identify the individuals whose personal data was breached, and notify them of the data breach
- Notify the DPA within 72 hours of the data breach with the information that appears in the template.
The Procedure
Personal data is defined as any form of data that can identify a certain individual. The organization is required to notify both the affected customers and the relevant GDPR authorities as soon as the breach has been detected.
A data breach notification procedure should include the following steps:
- Identify and contain the breach.
- Assess the risks associated with the breach.
- Notify the individuals affected by the breach.
- Notify law enforcement if required.
- Cooperate with law enforcement, if required.
- Take steps to prevent future breaches.
Required Fields in the Procedure
The procedure must include the following information :
- Immediate Actions: Assessment of the breach ramifications, what caused the breach and who will be responsible for mitigating its impact and notifying the customers and authorities.
- General Information: Location, date & time, how was it discovered, the scope of the breach. and the organizations’ details.
- Details: The specifics of the breach, how the organization plans on dealing with it, and the consequences of the breach.
- Notification (both the GDPR authorities and the customers): How were they notified, by whom and the POC.
- Lessons Learned: How can the organization do better in the future, which new tools or procedures are required and personal ramifications in case of a human error.
Regulations
The following notification regulations apply :
- If the organization operates in only one European country: Notify the local DPA
- If the organization operates in multiple European countries, notify each country’s local DPA.
- If the organization doesn’t have a physical presence in any European country: Notify the local DPA in each country that the organization is active in.
Roles and Responsibilities
- DPO : Is in charge of approving all processes and policies which pertain to the GDPR and ensuring that they comply with its statutes and regulations. This role is required by the GDPR, and is the compliance SME of the IT department.
- Documentation SME : Produces the release notes of the project, documents any known issues, and prepares the customer notifications. Assists in all training material preparation.
- Legal SME : Ensures that the consent form complies with the rules and laws of the country that the organization is based out of.
- PMO : Tracks the progress of the project and compares it to the plan, as well as risks, dependencies, and action items. Also tracks the cross-functional dependencies, in order to recognize the bottlenecks, and raise yellow / red flags that may postpone the project.
Glossary
Term | Description |
SME | Subject Matter Expert |
GDPR | General Data Protection Regulation |
PMO | Project Management Officer |
DPO | Data Protection Officer |
EU | European Union |
POC | Point of Contact |