Two of the most important principles of the EU General Data Protection Regulation (GDPR) are transparency and accountability.
You must keep people informed about the ways in which you're processing their personal data. And you are accountable to your Data Protection Authority (DPA - referred to in the text of the GDPR as a "supervisory authority") in all aspects of that processing.
Part of complying with these principles means being honest and acting quickly when things go wrong. If your company suffers a serious personal data breach, i.e. the loss or theft of people's personal data, you're obligated to report this to your DPA. In some cases, you must also inform the individuals whose data has been compromised.
Protection of personal data is considered a fundamental right in the EU. As a responsible organization, you'll have taken steps already to ensure that individuals' personal data is processed securely. But you still need to consider how you'll respond if you have a breach.
Let's take a look at the steps you need to take to notify the relevant people.
- 1. What's a Data Breach Notice Letter?
- 2. Is a Data Breach Notice Letter Mandatory?
- 3. When to Send a Data Breach Notice Letter
- 3.1. Notifying a Data Protection Authority
- 3.2. Notifying Individuals
- 3.3. Examples of Data Breaches
- 4. What to Include in a Data Breach Notice Letter
- 4.1. Notifying a Data Protection Authority
- 4.2. Notifying Individuals
- 5. Your Data Breach Policy
- 5.1. Internal Reporting
- 5.2. Containing the Breach
- 5.3. Risk Assessment
- 5.4. Assessing the Severity of the Breach
- 5.5. Notification
- 5.6. Post-Breach Evaluation
- 6. Summary of Your Data Breach Notification Letter
- 7. Download GDPR Data Breach Notice Letter Template
What's a Data Breach Notice Letter?
As part of your company's data protection policies, you should put together a procedure that will allow you to respond quickly and efficiently when your customers' data security has been compromised. As we've seen from events such as the Cambridge Analytica scandal and the Marriott Hotel data breach, such occurrences are far from uncommon.
Responding quickly is extremely important because it means that you can limit the damage done - both to the individuals affected and to your company. The good thing is that a Data Breach Notice Letter is a document that you can prepare partly in advance as part of your data breach policy.
Is a Data Breach Notice Letter Mandatory?
If you suffer a serious data breach, you're legally required to inform your DPA and in many cases, the individuals whose data may have been compromised. A Data Breach Notice Letter is a way for you to do this.
Article 33 of the GDPR requires data controllers (any company that decides how and why the personal data of people in the EU is processed) to report a serious personal data breach to their DPA.
Article 34 of the GDPR requires data controllers to notify individuals (referred to as "data subjects" in the GDPR) in the event of an especially high-risk data breach.
Data processors (any company that processes personal data on behalf of a data controller) must inform their data controllers as soon as possible in the event of a breach.
The GDPR is well-known for its huge fines, which can reach up to 4 percent of a company's annual global turnover, or €20 million. Recital 148 of the GDPR sets out some of the factors that Data Protection Authorities will take into account when calculating a fine. Among these are:
- How long the breach lasted
- Whether the company took steps to limit the damage
- Whether the company reported the incident to the Data Protection Authority
All of these factors are within your control. Having a clear procedure and Data Breach Notice Letter prepared allows you to respond quickly and efficiently, and minimize the negative impact on your company and your customers.
When to Send a Data Breach Notice Letter
There are two types of Data Breach Notice Letters:
- Ones that notify your DPA that there has been a personal data breach.
- Ones that notify the individuals that their personal data has been compromised.
As mentioned, there are two different thresholds for sending either of these.
Notifying a Data Protection Authority
The GDPR requires data controllers to notify their DPA if a data breach is likely "to result in a risk to the rights and freedoms" of individuals. This must be done "without undue delay and, where feasible, not later than 72 hours after becoming aware" of the breach.
Recital 85 suggests specific examples of risks that might warrant notification:
- Loss of control over personal data
- Limitation of data rights
- Discrimination
- ID theft
- Fraud
- Financial loss
- Unauthorized revealing of identity
- Damage to reputation
- Loss of confidentiality
Notifying Individuals
You'll always need to inform your DPA about a serious breach. You'll also need to inform the relevant individuals about a very serious breach.
The GDPR requires data controllers to notify the individuals affected if a data breach is "to result in a high risk to [their] rights and freedoms." The essential difference here is in the degree of risk - notifying individuals is only is required where there is a high risk.
Here's how the UK's DPA, the Information Commissioner's Office (ICO) distinguishes between a breach that would and would not require notification to individuals:
The GDPR states that providing a Data Breach Notification Letter to individuals might not be necessary if:
- If the data has been encrypted
- If you took quick action which negated the risk
- If contacting each individual would involve a disproportionate effort. In this case you can make a public statement instead.
There's no 72-hour deadline here. Recital 86 requires data controllers to send individuals a Data Breach Notification Letter so they can "take the necessary precautions" - so you must act quickly.
Examples of Data Breaches
The Article 29 Working Party provides some examples of the sorts of data breaches that may or may not require notification.
-
"A brief power outage lasting several minutes at a controller's call centre meaning customers are unable to call the controller and access their records."
This would most likely not require reporting to either the DPA or the individuals concerned.
-
"A controller operates an online marketplace [...] The marketplace suffers a cyber-attack and usernames, passwords and purchase history are published online by the attacker."
The company should report the incident to both the DPA and the individuals concerned.
-
"A controller maintains an online service. As a result of a cyber attack on that service, personal data of individuals are exfiltrated."
The company should report the incident to the DPA. However, depending on the context, reporting to the individuals may be unnecessary.
What to Include in a Data Breach Notice Letter
The specific information you'll need to include in your Data Breach Notice Letter will differ depending on the circumstances of the breach. But the GDPR does provide some guidance on the types of information you'll need to include when notifying both your DPA and the individuals concerned.
Notifying a Data Protection Authority
Article 33 requires you to provide certain information to a DPA in the event of a breach. However, it's important to note that some DPAs require additional information. Some DPAs also prefer you to use a specific form on their website. You will need to take close advice from your Data Protection Officer (if you have one) and consider taking legal advice when notifying your DPA.
It's important that you find out who your DPA is. There's at least one in each EU country. If your company is based in the EU, your first contact for reporting a breach will be the DPA in which your company is based.
If you're based outside the EU, you should contact the DPA in your main establishment. Recital 36 sets out the criteria for determining which EU country should be your main establishment.
Notifying Individuals
If you've determined that you also need to notify the individuals whose data has been compromised, Article 34 requires you to use "clear and plain language" and include certain information.
Your Data Breach Notification Letter to individuals should answer the following questions:
- What has happened? Describe the nature of the personal data breach.
- What are the likely consequences of the data breach on the individuals concerned? It may be necessary to explain how individuals will know that they've been affected.
- What have you done in response to the data breach? Have you taken any steps to mitigate or negate the adverse consequences listed above?
- Is there anything that the individuals can do to mitigate the risk?
- Who can provide further information, if required? This should be your Data Protection Officer if you have one. Give a clear way for individuals to contact you with any questions or concerns about the breach.
This is the minimum level of detail required by the GDPR (including at Recital 86). You will want to include more information depending on the situation. This additional information can include:
- The date on which you are giving the notice.
- The date on which the breach occurred.
- The date on which you discovered the breach.
- The types of personal information that have been compromised.
- How individuals can find out if they've been affected.
- Whether you have informed the authorities, and whether this caused a delay in notification.
- Contact details of the relevant Data Protection Authority.
You may have to consider your legal position when making these statements to the public. Transparency is extremely important, but it's always best to take advice on how you word such statements. You will want to avoid assuming liability unnecessarily.
Here's an excerpt from Quora's Data Breach Notice Letter:
Quora explains the incident in simple language, indicating the nature of the breach and the type of personal data affected. It then goes on to address specific concerns that users might have.
Equifax set up a dedicated website after a high profile data breach in 2017. It divides its Data Breach Notification Letter into the following questions:
Equifax provides a system whereby users can find out if they have been affected:
Equifax also suggests steps that users might take to mitigate the impact of the breach, as is required under Recital 86:
Hotel chain Starwood announced a major data breach in November of 2018. It set up a dedicated website to provide information to affected users. It answers the following questions in its breach notification:
Facebook alerted its users to a data breach via its mobile app to ensure that as many people as possible got the message.
Facebook also sought to reassure users by explaining the breach in technical terms. It even shared a video featuring its VP of Product Management explaining the breach:
By utilizing different methods of alerting and explaining, Facebook helps make sure that the most people will be reached and can understand what happened with the data breach.
Your Data Breach Policy
Once you've identified that a data breach has occurred, you must act quickly. It's important to have robust internal procedures so that everyone within your company knows what to do.
Internal Reporting
If your company has a Data Protection Officer (DPO), they should be the first person to know about any suspected or confirmed breach. The DPO should have an excellent working knowledge of data protection and will be able to make an assessment of whether to report the incident to the DPA.
If you don't have a DPO, you should specify an appropriate senior staff member in your company to whom people can report a breach.
Your Data Breach Policy might specify what information needs to be passed on in the event of a breach, but it's important not to make these requirements too onerous - time is of the essence.
Containing the Breach
If the breach is still ongoing, you'll need to take whatever measures you can to stop it. This might mean notifying the police or drawing upon relevant technical expertise from within your company.
For example, you may need to:
- Take certain systems offline
- Remotely disable a computer terminal
- Reset account passwords
- Change access rights
Risk Assessment
If you can do so quickly, you should make an assessment of the risks before notifying. This will allow you to present your DPA or the individuals affected with the basic information required.
A risk assessment will require you to answer some of the following questions:
- Who is likely to be affected by the breach?
- What type of data has been compromised?
- What caused the breach?
- Human error
- Technological failure
- Malicious attack
- Should you notify other organizations, e.g. data processors, who may also be at risk?
- Should you call on other expertise, either within or outside your company?
- Has the breach been contained?
Assessing the Severity of the Breach
Not every data breach will need to be reported, so you need a system for assessing the severity of a breach.
The EU Agency for Network and Information Security suggests using the following criteria to assess the severity of the breach:
- Data Processing Context - Is the personal data:
- Simple
- Behavioral
- Financial
- Sensitive
- Ease of Identification
- How easy it would be to identify individuals?
- Could the personal data reveal individuals directly or indirectly?
- Is the data encrypted?
- Circumstances of Breach - Does the breach involve:
- Loss of confidentiality
- Loss of integrity
- Loss of availability
- Malicious intent
If the data is sensitive, this would result in a high Data Processing Context risk factor, making it more likely that the incident will need to be reported.
A high Circumstances of Breach factor might also mean that you're required to notify your DPA - for example, if there is evidence of some malicious intent on the part of the attacker.
However, if the data is properly encrypted, the Ease of Identification factor might be low, making notification less likely.
Notification
You're now in a position to know whether it is necessary to notify your DPA, and possibly the individuals affected - via either individual notification, public notification, or both.
It will be very helpful for you to have a template notification letter prepared, to ensure that you can notify at least within the crucial 72-hour period.
Post-Breach Evaluation
Once the storm settles, you need to take a step back and evaluate what happened, and how you can stop it from happening again.
- Where were the weaknesses in your data protection systems?
- Were you conducting proper audits?
- Were your staff properly trained in data protection?
- Were any data processors complying with a proper Data Processing Agreement?
- Do you need to take disciplinary action or hire extra staff?
You're legally obligated to cooperate with your DPA throughout this process if requested.
Summary of Your Data Breach Notification Letter
A Data Breach Notification Letter is a method of complying with the legal obligation under the GDPR to let Data Protection Authorities (DPAs) or individuals know about a data breach.
- It must be sent:
- To your DPA in the event of a breach that result in a risk to "rights and freedoms"
- To the individuals whose data may have been compromised in the event of a high risk to "rights and freedoms."
- Without undue delay, and at the lastest within 72 hours.
- Your Data Breach Notification Letter to your DPA must:
- Comply with the requirements in Article 33
- Contain any additional information the DPA requires
- Your Data Breach Notification Letter to individuals must, at a minimum, contain information about:
- The nature of the breach
- The likely consequences
- Any steps you have taken so far
- Anything that the individuals can do about the breach
- Contact details, preferably for your Data Protection Officer
Download GDPR Data Breach Notice Letter Template
Download our GDPR GDPR Appointment of EU Representative Letter Template as a PDF file, DOCX file or Google Document.
This free, downloadable template helps you get started with:
- Notifying your customers/users that there has been a data breach
- Identifying types of personal information breached
- Identifying types of personal information not breached
- Disclosing steps you're taking to mitigate the issue
- Informing customers/users of what steps to take
- Providing your contact information
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.