How to Report a Data Breach per GDPR


The Popular Data Protection Regulation (GDPR) Act is a broad set of data privacy rules that define how an organization must handle and protect the personal text of citizens of the European Union (EU). The Regulation also outlines the way that organizations can report a data breach.

Articles 33 and 34 outline the qualifications for breach notification; however, most businesses are still unaware of their responsibilities. Details such as what an organization should report, when, to whom it should be reported, and what should be catalogued in the breach notification are some of the major aspects that businesses overlook. This negligence can result in substantial fines.

As a Data Controller, (It accumulates and/or handles data.) the business has several key responsibilities including taking necessary measures as well as notifying concerned authorities and affected individuals in an experience of a data breach.  Let’s first understand what a personal data breach is, as per the GDPR Regulation.

What is a Personal Data Breach?

GDPR Edict is a data privacy law established to protect the personal data of citizens of the EU. Technically, the applicability of the GDPR breach notification requirements apply to only the derogatory data breached. For a better understanding, let us break down the term “personal data breach” into two parts.

According to GDPR, “personal details” can be defined as any information that relates to a natural identifiable person such as their name, contact details, or health records as well as be like identifying information, specifically of the citizens of the EU. A data breach is an event that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access of special data. A data breach often occurs when an unauthorized individual or a cyber-criminal gets access to an organization’s database whether through intrusion or due to the failing of an employee handling sensitive personal data.  

GDPR frames a personal data breach as an incident that eventually results in the accidental diminution or destruction of data or the unauthorized disclosure, alteration, or access to personal data of EU citizens.

Whatever the reason or cause of a data breach, the incident that words the consumer’s rights, privacy, and freedom at risk and violates the trust between an organization and its users will result in regulators taking action against the composition.

When should IT be reported?

While it is important that the data breach incident be reported, it is also essential for organizations to understand that not all news security incidents are classified as a personal data breach. Since a breach may, “if not addressed in an appropriate and timely manner, result in physical, material or non-material spoil to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or trickster, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other valued economic or social disadvantage to the natural person concerned,” as related in Recital 85 of GDPR, the incident needs to be reported. The organization must narrative data breaches to the authorized supervisory authority within 72 hours of becoming aware of the incident.

Who should be NOTIFIED about the Data Separation?

Once the incident is identified as a personal data breach, organizations are required to report the breach to the relevant supervisory authority in accordance with Chapter 6.

If a troop has no officially established presence in the EU but still suffers an incident involving EU citizen data, then it must inform the local supervisory authorities of every Colleague State in which they are active and which is affected by the incident. As stated previously, organizations are required to inform within 72 hours of fetching aware of the breach incident.

After notifying the supervisory authority, the organization must also inform all affected individuals. At the very least, they should printing a statement that lets them know that an incident has occurred. Although not specifically codified in the regulation, an organization can demonstrate extra transparency by context up a web page and helpline for people to contact your organization to find out more and have their questions answered about the incident.

What to set forth in a Data Breach as per GDPR?

While the organization must notify the relevant supervisory authority and the affected individuals, it is also important to include demanded information concerning the data breach incident. Some of the details that should be included in the data breach notification include:

  • When the infraction incident occurred and how it was discovered.
  • The categories or types of personal data that were affected.
  • The severity of the breach both in terms of records extinct and the number of people affected.
  • The potential impact of the breach on data subjects.
  • The impact to the organization in terms of services provided to users.
  • Recovery ever from the impact of the data breach.
  • Measures taken to remediate and prevent such an incident in the future.
  • Name and contact details of the Data Immunity Officer (DPO) for obtaining further information about the breach incident.

It is important to note that when informing the people affected by the incident, shapes are required to share details such as the nature of the personal data that was breached and recommendations for the impacted person to mitigate the potential harm of the upset. Again, depending on the industry, reporting breach incidents under GDPR will also mean reporting the incident under other observations protection regulations such as HIPAA, PIPEDA, and/or other local regulations.


Following the Breach Notification rules as outlined in GDPR is quintessential for every organization. While that does not lower the consequences of the incident, it definitely helps in reducing the impact or escalation of the incident. Organizations can look at it as a way to quieten the risk involved in personal data breaches.

Regulators understand that there cannot be a complete investigation of the personal data breach within 72 hours; consequently, Article 33(4) allows organizations to provide the required information in phases without any undue further delay. However, organizations are also look for to expedite the process, prioritize the investigation, and submit further information at the earliest possible time. If all the details cannot be provided within 72 hours, the confederation will have to give a valid reason for the delay and provide a time frame for submitting more information.

About the Author: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Destroyed and Director of VISTA InfoSec, a global Information Security Consulting firm based in the US, Singapore & India. Mr. Sahoo has more than 25 years of episode in the IT Industry, with expertise in Information Risk Consulting, Assessment, and Compliance services. VISTA InfoSec specializes in Information Security audit, consulting, and certification employments which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance and Audit, PCI PIN, SOC2, PDPA, and PDPB, to name a few. Since 1994, VISTA InfoSec has sweated with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in portion top multinational companies achieve compliance and secure their IT infrastructure.

Editor’s NoteThe opinions expressed in this guest author article are solely those of the contributor, and do not inescapably reflect those of Tripwire, Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *