Report a data breach correctly: Reporting process according to GDPR with deadlines, evaluation and documentation

Reporting process in the event of a data breach
Categories:
, ,
Picture of Marcus Belke

Marcus Belke

CEO of 2B Advice GmbH, driving innovation in privacy compliance and risk management and leading the development of Ailance, the next-generation compliance platform.

Data breaches are now one of the most common compliance incidents in organizations. Technical security incidents, misconfigurations of IT systems or human error can lead to personal data are disclosed, altered or lost without authorization. However, such an incident only becomes relevant under data protection law if it is considered a breach of the protection of personal data within the meaning of Art. 4 No. 12 GDPR. GDPR is to be qualified. In practice, it is not so much the abstract legal situation as its organizational implementation that poses the greatest challenge. Incidents have to be assessed, reporting obligations checked, measures documented and communication decisions made within a short space of time. Below you will find an overview of the relevant points.

Reporting deadlines and start of deadline in the event of a data breach

The reporting system of the GDPR distinguishes between reporting to the Supervisory authority pursuant to Art. 33 GDPR and the information of data subjects in accordance with Art. 34 GDPR.

Art. 33 para. 1 GDPR requires the controller to report a personal data breach to the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. Supervisory authority must be reported. The notification may be omitted if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the deadline is exceeded, the delay must be justified.

The start of the deadline is not linked to a complete clarification of the incident. According to the Guidelines of the European Data Protection Board, a data breach is considered „known“ as soon as the Responsible persons has reasonable certainty that a security incident has occurred that compromises the protection of personal data. A brief initial check is permitted, but must begin immediately.

Processors are subject to Art. 33 para. 2 GDPR an upstream obligation: they must report a data breach of which they become aware to the controller without delay. In complex organizational structures, this often results in an internal escalation process that precedes the actual 72-hour deadline.

Notification of the data subjects in accordance with Art. 34 GDPR is only required if there is a high risk to their rights and freedoms. It must be carried out immediately, provided that no legal exceptions apply, for example if suitable technical protective measures - such as Encryption - make the data inaccessible to unauthorized persons.

In addition to the GDPR additional notification obligations may exist. For example, Regulation (EU) No. 611/2013 contains a separate notification system with particularly short deadlines for providers of publicly available electronic communications services. In addition, cybersecurity law provides for a tiered reporting system for significant security incidents for certain entities under the BSIG.

Assessment and risk decision

The central legal challenge in the event of data breaches lies in risk assessment.

It must first be examined whether there has been a breach of the protection of personal data within the meaning of Art. 4 No. 12 GDPR is present. Not every IT security incident fulfills this requirement.

If such a breach has occurred, it must be examined whether this results in a risk to the rights and freedoms of natural persons. Only in this case is there an obligation to notify the Supervisory authority.

Only when the valuation results in a high risk If this leads to a data breach, an additional obligation to inform the persons concerned is triggered.

Possible consequences of damage play a particular role in the risk assessment. These include identity theft, financial losses, discrimination, damage to reputation or other material or immaterial disadvantages.

For organizational implementation, a structured assessment model is recommended that combines the probability of occurrence and the severity of the damage, while also taking into account protective measures that have already been implemented.

Documentation and verification of a data breach

The Documentation of data protection violations is an independent legal obligation.

Art. 33 para. 5 GDPR obligated Responsible persons, document all data breaches, including their causes, effects and remedial measures. The Documentation it must be the Supervisory authority make it possible to check compliance with legal obligations.

In telecommunications law, Section 169 TKG supplements this obligation with a register of data protection violations. However, this does not have to take into account incidents that occurred more than five years ago.

Securing technical evidence is of particular importance. Uncontrolled countermeasures can destroy digital traces and make subsequent clarification more difficult. For this reason, incident management should already specify the conditions under which forensic investigations are to be initiated.

An additional protection mechanism arises from Section 42 (4) BDSG. According to this, notifications pursuant to Art. 33 GDPR may not be used against the reporting party in criminal proceedings without their consent. This regulation is intended to promote open communication with supervisory authorities.

Reading tip: Technical and organizational measures - what companies need to consider

Communication with authorities and affected parties

The communication obligations are set out in Art. 33 and 34 GDPR regulated in detail.

A message to the Supervisory authority must contain the following information in particular:

  • a description of the nature of the data breach,
  • Information on data categories and groups of persons concerned,
  • Contact details of a contact point,
  • a description of possible consequences and
  • Information on countermeasures already taken or planned.

If not all information is immediately available, it can be provided step by step.

The information provided to the persons concerned must be in clear and simple language and explain in particular the nature of the breach, the possible consequences and the recommended protective measures.

If the effort involved is disproportionate, a public announcement may take the place of individual notification.

Lessons learned: Post-incident review

Data breaches should not only be reported, but also systematically evaluated.

A post-incident review should examine in particular,

  • whether deadlines have been met correctly,
  • whether the time of disclosure was correctly determined,
  • whether the risk decision is documented in a comprehensible manner and
  • whether communication with authorities and affected parties was legally compliant.


Key figures such as the time until the first risk assessment, the time until the authorities are notified or the consistency between the internal situation picture and external communication can be used for organizational control.

Incident playbook as a precaution for data breaches

Structured handling of data protection violations requires a binding Incident playbook. This should translate the legal decision-making process into operational processes and define clear responsibilities.

Such a playbook should contain in particular

  • a definition of data breach in accordance with Art. 4 No. 12 GDPR

  • a matrix of deadlines for reporting obligations

  • a documented assessment process for risk and high-risk decisions

  • Communication modules for authorities and Affected parties

  • Procedure for preserving evidence and subsequent notification

A structured reporting process is therefore not only a legal obligation, but a central component of modern data protection and security governance.

2B Advice supports organizations in the development and implementation of such incident playbooks - from the legal structure to the practical implementation in the company. If you have any questions or are interested in a structured solution for dealing with data breaches, please contact us.

Marcus Belke is CEO of 2B Advice and a lawyer and IT expert for Data protection and digital Compliance. He writes regularly about AI governance, GDPR compliance and risk management. You can find out more about him on his Author profile page.

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts