Home Knowledge New GDPR Guidelines: Organisations Urged to Introduce Breach Response Plans

New GDPR Guidelines: Organisations Urged to Introduce Breach Response Plans

October 23, 2017
Partner
David Cullen

 

Organisations must introduce processes for recognising, assessing and notifying data breaches according to new GDPR guidance issued by EU privacy regulators.  The draft guidelines address when data controllers and processors are considered to be aware of a breach and the processes organisations should have in place to address data breaches.

Under article 33 of the General Data Protection Regulation (GDPR), controllers must notify the competent supervisory authority within 72 hours of becoming aware of a personal data breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons.  Controllers are also required to communicate personal data breaches to the concerned data subject when the breach is likely to result in a high risk to the rights and freedoms of natural persons under article 34.  As the guidelines clarify, the threshold for notifying data subjects is therefore higher.

When Does a Controller Become Aware of a Data Breach?

According to the guidelines, a controller is aware of a data breach when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.  Furthermore, the guidelines state that in principle, the controller should be considered aware when a processor who processes data on its behalf becomes aware.

New Processes Required

One of the main takeaways from the guidelines is the emphasis on controllers and processors having processes in place for responding to personal data breaches.  In such a process:  

  • Information concerning security-related events should be directed towards responsible person or persons;
  • the risk a breach poses to individuals should be assessed;
  • the supervisory authority, and if necessary, the individuals concerned, should be notified; and
  • the controller should act to contain the breach.  

There is also an emphasis on the timeliness of notifications.  Supervisory authorities must be notified within 72 hours of becoming aware of a breach, and failure to act in a timely manner could be considered a failure to notify.  Individuals should be notified without undue delay so that they can take steps to protect themselves from the negative consequences of the breach.

For further information on the GDPR, please see William Fry’s “PrivacySource”, a dedicated website where our Technology team will provide ongoing analysis and assistance on the implementation of the GDPR.  

Contributor: John Magee and Brian McElligott


Follow us @WilliamFryLawTwitter

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Consultant
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all