October 24, 2017
The Working Party explains that the GDPR introduces the requirement for a personal data breach to be notified to the relevant national authority and, in certain cases, communicated to the individuals whose personal data have been affected by the breach.
Notification will be mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. The Working Party explains that processors will also have an important role to play and they must notify any breach to their controller.
The Working Party considers that the new notification requirement has a number of benefits and is encouraging controllers and processors to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and to determine whether it is necessary to notify the authority and to communicate the breach to the individuals concerned. Notification to the national authority should form a part of that incident response plan, it says.
To assist, the Working Party has published Guidelines that explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these new obligations. The document also gives examples of various types of breaches and who would need to be notified in different scenarios. The Working Party is asking for feedback on the Guidelines. The deadline for responses is 24 November 2017. To access the Guidelines, click here.