GDPR: How to Handle a Data Breach

Photo by Christoph Scholz from Flickr (Creative Commons License)

Every company that sends commercial emails to people who reside in the EU or process their data has to comply with the new privacy law, the General Data Protection Regulation (GDPR). This law has specific rules about how companies have to respond when a data breach occurs. It’s so much better than the current rules in the U.S.

Report the Breach to Supervisor within 72 Hours

When a data breach occurs, the employee must report the breach to their supervisory authority without undue delay, and where feasible, within 72 hours of learning of the breach. This notice must include the likely consequences of the breach and the measures the company is taking to mitigate the potential adverse effects.

The only exception to this rule is if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The company doesn’t have to report the breach if it’s will not likely cause harm to those impacted.

Report the Breach to Consumers

In addition to reporting the breach up the chain of command, the company, without undue delay, must notify the people’s whose data was compromised if the breach is likely to result in a high risk to their rights and freedoms. The law doesn’t specify a number of days or a rubric to determine what is notification “without undue delay.”

Companies should notify the effected persons unless it would require a disproportionate effort. In that case, notification may be made by public communication.

There is an exception to this requirement. The company does not have to disclose that the data breach occurred if the personal data would be unintelligible (e.g. encrypted) to whomever stole it or if the risks have been sufficiently mitigated that adverse results are unlikely to occur.

These new requirements are fantastic. These will hopefully eliminate the problem of companies waiting weeks or months to disclose to impacted consumers that their personal data was hacked.

You can learn more about this aspect of the GDPR here:

Remember, if you are subject to the GDPR, you must comply with this law by May 25, 2018 when it goes into effect.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked *