Data breach

Draw up a data breach protocol and keep a register

Under the GDPR you may be obliged to report a data breach to the competent authority and/or the data subjects. A data breach refers to the access to or destruction, alteration or release of personal data to an organisation without this being intended. Data breach therefore covers not only the release (breach) of data, but also unlawful processing of data and unintentional destruction.

Under the GDPR you are obliged to report any data breach to the data protection authority of your country without delay , within 72 hours where possible. In addition, you could notify the data breach to your customers.

 

Data leak protocol

To be able to comply with the aforementioned obligations, you must ensure that you are aware of a data breach as soon as it occurs and take appropriate action immediately. It is important to have a data breach policy. In the protocol you can record the steps to be taken if your organisation is confronted with a data breach, what information must be collected/recorded and/ or reported, by whom, and within what time frame.

 

Data breach register

In addition, the GDPR imposes the requirement that all data breaches – both reported and unreported – that have occurred in your organisation, be documented in a register.

Based on this, the competent authority can check whether you have complied with your reporting obligation.