Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

Notification of a Personal Data Breach under GDPR compliance

Get Free GDPR Assessment
Published July 24, 2021 / Updated December 8, 2024
Contributors

Anas Baig

Product Marketing Manager at Securiti

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

Background of Breach Notifications in the GDPR

In 2016, the GDPR passed into law, and its purpose was to award rights to individuals over their personal data through a uniform standard of protection across the EU. In this spirit, the GDPR has very strict personal data breach notification requirements with very tight deadlines.

What is a Personal Data Breach?

The GDPR defines a personal data breach as a security incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed by an organization.

A personal data breach can be of three types:

Confidentiality Breach:

A confidentiality breach happens when there is unauthorized or accidental disclosure of, or access to, personal data. An example of this kind of data breach can be an email with the personal data of an organization's employees, including name, address, salary, national insurance number, and date of birth, which is inadvertently sent to the wrong recipient.

Integrity Breach:

An Integrity breach happens when there is an unauthorized or accidental alteration of personal data. An example of this kind of data breach can be when incorrect contact details are updated by accident or a wrong individual was contacted with details relating to another individual.

Availability Breach:

An availability breach happens when there is an unauthorized or accidental loss of, access to, or destruction of personal data. This will include both the permanent and temporary loss of personal data—for example, a cybersecurity breach in which an individual's data is accidentally deleted from the database.

A personal data breach leads to significant harm to the data subject and may result in physical, material, or non-material damage to him/her, including emotional distress.

The GDPR requires organizations to report personal data breaches to supervisory authorities and impacted data subjects. However, not every personal data breach needs notification.

Let's explore the circumstances under which a personal data breach warrants notification along with other breach notification requirements.

Which personal data breaches must be reported under the GDPR?

As per Articles 33 and 34 of the GDPR, only those personal data breaches that are likely to result in a risk to the rights and freedoms of data subjects require notification. The organization must notify all such breaches to the supervisory authority. Where the risk to the rights and freedoms of data subjects is high, organizations must also notify the impacted data subjects without undue delay.

Which parties are required to be notified and what are notification timelines?

As per Articles 33 and 34 of the GDPR, three parties are required to be notified:

  1. Supervisory authority: Notification to the supervisory authority must be made without undue delay and not later than 72 hours after having become aware of the breach.
  2. Impacted data subjects: Notification to impacted data subjects must be made without undue delay.
  3. Data controller: Processors must notify data controllers of any personal data breaches to help them fulfill their breach notification requirements on time.

Can a notification be delayed?

Where the notification to the supervisory authority is not made within 72 hours, the notification must be accompanied by reasons for the delay. The information relating to a personal data breach may also be provided in phases to the supervisory authority if it is not possible to provide the information at the same time. However, all available information must be provided without unneeded delays.

What should a personal data breach notification consist of?

The personal data breach notification should, in clear and plain language, consist of the following:

  1. Description of the nature of the personal data breach, including the categories and an approximate number of data subjects and data records involved.
  2. Name and contact details of the DPO or other contact points from which more information can be obtained.
  3. Likely consequences of the personal data breach.
  4. Measures taken or proposed to be taken to address the personal data breach, including any measures to mitigate its possible adverse effects.

Are there any exceptions to the breach notification requirement?

There are no exceptions as far as the breach notification to the regulatory authority is concerned. The notification to impacted data subjects may not be required under any of the following conditions:

  1. The controller has implemented appropriate technical and organizational measures such as encryption that render the personal data useless to any unauthorized person.
  2. The controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
  3. It would involve a disproportionate effort to notify data subjects. In such a case, the data controller shall issue a public communication or similar announcement whereby the data subjects are informed in an equally effective manner.

Are there any breach documentation requirements?

Under Article 33(5) of the GDPR, data controllers must document any personal data breaches. Such documentation must consist of at least the facts relating to the breach, its effects, and the remedial actions taken. Organizations must also document the steps and actions they have taken after a security incident into one breach report even if they are not required to notify the regulatory authority or data subjects. Such breach reports will help them demonstrate compliance with the regulatory authority.

Can a supervisory authority require the controller to notify the personal data breach?

Under Article 34(4) of the GDPR, the supervisory authority may require the data controller to notify a personal data breach to data subjects if it has not done so. In that case, the supervisory authority shall take into consideration whether the personal data breach is likely to result in a high risk to data subjects.

How can you prevent a Personal Data Breach?

To prevent personal data breaches, organizations must implement appropriate security controls relevant to the circumstances of data processing. Such security controls may be preventative (security measures to limit the personal data breaches) and remedial (mitigation measures to limit the impact of a personal data breach that has happened) in nature.

Organizations must consider the following factors while choosing an appropriate security control for the protection of personal data:

  1. Nature, scope, context, and purposes of personal data processing:
    The nature, scope, context, and purposes of data processing may affect the risks to the rights and freedoms of data subjects. For example, the more sensitive the data is, the higher the risk of harm will be. Even a small amount of highly sensitive personal data can have a high impact on an individual. Therefore, such factors must be taken into account while implementing a security control.
  2. Industry best practices around security controls:
    Data security is a domain of professional expertise. Therefore, organizations must consider industry best practices in choosing an appropriate security control. For example, encryption is one of the industry-acceptable security measures.
  3. Costs of implementation of security controls:
    A security control does not need to be exorbitantly expensive, and organizations must consider the cost of implementing the security controls. Companies must financially invest in security measures and implement cost-determinative security controls.

In addition to the considerations above, an ideal security control must have the following abilities:

  • Ability to restore the availability and access to personal data promptly in the event of a security incident.
  • Ability to render the data unintelligible for any person who is not authorized to access it.
  • Ability to ensure confidentiality and integrity of data processing systems and services.

Despite security controls, security incidents will inevitably take place. However, not every security incident qualifies as a personal data breach, and not every personal data breach requires notification to the regulatory authority and impacted data subjects. Therefore, every organization must have an effective and robust breach response management process. It must have a mechanism in place to determine when a security incident is considered a personal data breach when a personal data breach needs to be notified, identify areas of improvement, and implement necessary remediation measures to reduce consequences to data subjects.

Responding to a personal data breach under GDPR compliance

Once a security incident has taken place, an organization must immediately respond to it. An effective breach response mechanism has the following steps:

Containment of the security incident:

The first step is to contain the security incident immediately by trying to get lost information back, disabling the breached system, canceling or changing computer access code, or trying to fix any weakness in the organization's physical or technical security. The containment of the security incident enables organizations to mitigate the risks posed to data subjects.

Data Breach Assessment:

The second step is to determine whether the security incident qualifies as a personal data breach. The definition of a personal data breach differs from one privacy law to another, and therefore, the organization must conduct the data breach assessment relevant to its jurisdiction.

Data Breach Risk Severity Assessment:

Once a personal data breach has been determined, the next step is to evaluate the severity of the potential or actual impact on data subjects as a result of the breach and the likelihood of this occurrence. This should be done by taking into consideration the nature of the harm that may be caused to data subjects, whether the breached personal data was sensitive, whether the breached personal data was protected by a security control and any other relevant factors. The data breach risk severity assessment enables organizations to determine their breach notification requirements.

Breach notification:

After the data breach risk severity assessment is conducted, the results inform the organization whether it is required to notify the breach to a regulatory authority or impacted data subjects or both. It must fulfill its breach notification obligations within stipulated time frames to avoid any penalties and sanctions. These requirements have been discussed in detail above.

Reviewing security controls:

After the occurrence of every security incident and personal data breach, the organization must review and update its data breach response mechanism. It must assess the effectiveness of security controls to prevent security incidents and data breaches in the future.

GDPR Personal Data Breach Fines

Failure to notify a personal data breach as per the requirements of the GDPR may expose your organization to a regulatory fine of up to 10,000,000 euros or 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher) and other penalties.

Recent examples of fines and penalties imposed on organizations that failed to comply with privacy regulations:

As far as the imposition of fines is concerned, there have been several cases where organizations had to pay vast amounts of money for failing to comply with applicable data privacy regulations. For example:

  1. British Airways (BA) was fined a record £183 million [~$230 million] after the airline was fined by the UK's data protection authority, the ICO. (Source: CSO Online)
  2. Marriott International was initially fined £99 million [~$124 million] after payment information, names, addresses, phone numbers, email addresses, and passport numbers of up to 500 million customers were compromised. The source of the breach was Marriott's Starwood subsidiary; attackers were thought to be on the Starwood network for up to four years after it was bought by Marriott in 2015. (Source: CSO Online)
  3. Twitter was fined €450,000 in Ireland, on 2020-12-15, for Insufficient fulfillment of data breach notification obligations. (Source: Twitter Final Decision)
    1. Booking.com was fined €475,000 in the Netherlands, on 2020-12-10, for Insufficient fulfillment of data breach notification obligations. (Source: Booking.com Final Decision)

How does Securiti help automate Data Breach Management?

Securiti's Data Breach Management provides a comprehensive workflow to manage the entire breach management lifecycle. It comes integrated with other product modules to provide out-of-the-box automation for various aspects of breach management.

Securiti offers an automated and integrated approach that has three components.

gdpr data breach

Data Breach Workbench

With a Data Breach workbench, organizations can centralize & collect all incoming breach requests on an internal privacy portal. The privacy officers can use the workbench to manage the entire lifecycle of a data breach that includes the following stages:

gdpr data management

Sensitive Data Intelligence

With Sensitive Data Intelligence, administrators can identify what data was compromised and whose data it was. Sensitive Data Intelligence provides the ability to automatically discover hundreds of sensitive data attributes stored in on-premises or cloud-based data and use People Data Graph to link the data with their owners. You can learn more about Sensitive Data Intelligence here.

Privacy Research

A Data Breach Management program isn't complete without relevant knowledge about international laws and regulations. With Securiti's Data Breach Management module, organizations can use built-in research data to identify notification requirements, exceptions, and remediation provisions. Based on who is impacted and the nature of the data breach, the relevant information is automatically presented to incident managers.

Securiti's Data Breach Management module is an end-to-end solution for your entire incident response lifecycle.

Benefits of a Breach Management Solution

gdpr data breach management

Conclusion

GDPR is the benchmark for modern privacy laws. All the laws and regulations passed by more than 200 countries are based on principles laid down by the GDPR. For organizations with global operations, it is important to have a robust, reliable data breach management solution that automates processes and reduces response time. Securiti's data breach management solution has been designed for this purpose and has helped several organizations prepare for any data breach incidents.


Frequently Asked Questions (FAQs)

A GDPR data breach is an incident in which a security breach leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed by an organization and protected by the General Data Protection Regulation (GDPR). Personal data may include any information related to an identified or identifiable individual.

Examples of GDPR data breaches include unauthorized access to customer databases, data theft, accidental data loss, hacking incidents, and any incident compromising personal data's security or confidentiality.

Any entity that processes the personal data of individuals in the EU shall comply with GDPR. Processing may include the collection, storage, transmission, and analysis of personal data. Even if entities are not working in the EU itself, if they process the personal data of individuals in the EU, they shall also comply with GDPR.

Companies can reduce risks by following GDPR guidelines, ensuring proper data security, obtaining user consent, and responding quickly to data requests and breaches.

Your Data+AI Command Center

Enable Safe Use of Data and AI

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share


More Stories that May Interest You

Videos

View More

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View
Spotlight 21:30

Companies Cannot Grow If CISOs Don’t Allow Experimentation

Watch Now View
Spotlight 2:48

Unlocking Gen AI For Enterprise With Rehan Jalil

Rehan Jalil
Watch Now View
Spotlight 13:35

The Better Organized We’re from the Beginning, the Easier it is to Use Data

Watch Now View
Spotlight 13:11

Securing GenAI: From SaaS Copilots to Enterprise Applications

Rehan Jalil
Watch Now View
Spotlight 47:02

Navigating Emerging Technologies: AI for Security/Security for AI

Rehan Jalil
Watch Now View

Latest

View More

Accelerating Safe Enterprise AI with Gencore Sync & Databricks

We are delighted to announce new capabilities in Gencore AI to support Databricks' Mosaic AI and Delta Tables! This support enables organizations to selectively...

View More

Building Safe, Enterprise-grade AI with Securiti’s Gencore AI and NVIDIA NIM

Businesses are rapidly adopting generative AI (GenAI) to boost efficiency, productivity, innovation, customer service, and growth. However, IT & AI executives—particularly in highly regulated...

Key Differences from DLP & CNAPP View More

Why DSPM is Critical: Key Differences from DLP & CNAPP

Learn about the critical differences between DSPM vs DLP vs CNAPP and why a unified, data-centric approach is an optimal solution for robust data...

DSPM Trends View More

DSPM in 2025: Key Trends Transforming Data Security

DSPM trends in 2025 provides a quick glance at the challenges, risks, and best practices that can help security leaders evolve their data security...

The Future of Privacy View More

The Future of Privacy: Top Emerging Privacy Trends in 2025

Download the whitepaper to gain insights into the top emerging privacy trends in 2025. Analyze trends and embed necessary measures to stay ahead.

View More

Personalization vs. Privacy: Data Privacy Challenges in Retail

Download the whitepaper to learn about the regulatory landscape and enforcement actions in the retail industry, data privacy challenges, practical recommendations, and how Securiti...

Nigeria's DPA View More

Navigating Nigeria’s DPA: A Step-by-Step Compliance Roadmap

Download the infographic to learn how Nigeria's Data Protection Act (DPA) mapping impacts your organization and compliance strategy.

Decoding Data Retention Requirements Across US State Privacy Laws View More

Decoding Data Retention Requirements Across US State Privacy Laws

Download the infographic to explore data retention requirements across US state privacy laws. Understand key retention requirements and noncompliance penalties.

Gencore AI and Amazon Bedrock View More

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New