GDPR Breach Notification


As most businesses who deal with personal data already know, General Data Protection Regulations (GDPR) are coming into effect on May 25th, 2018. These regulations aim to enhance data security, providing more rights to the individual surrounding the ownership of their personal data. There are a number of substantial changes coming into effect that are considerably different to the previous directive, but let’s focus on breach notification. Breach notification should be of paramount importance to companies as it is time sensitive. Article 33 of the General Data Protection Regulations provides a comprehensive set of instructions surrounding this topic but the official jargon can be difficult to penetrate.

Article 33 of GDPR explains breach notification as: “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority”. A data breach is defined as a lapse in security that may “result in a risk for the rights and freedoms of individuals”. A data breach must be reported to the Data Protection Office within 72 hours of the breach detection and if it is outside this time period, it must be accompanied by reasons for the delay. This is a basic outline of Article 33. GDPR presents stricter regulations for companies and data controllers but also provides clearer instructions on how to adhere to these protocols. It is in this way that GDPR is great for business; providing the key to companies on how to utilise their data in the most efficient way for everyone involved.

Previously, the directive that was in place for data security did not address breach notification. GDPR not only acknowledges it but provides an exact definition of a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This clear and precise definition rids data processing of the ambiguity surrounding compliance and will ensure that personal data is secured at a regulated standard. Under GDPR, breach notification will be compulsory in every member state and as well as notifying the supervisory authority, data controllers will have to make customers aware of the breach in security “without undue delay”. There is an instance where notification is not necessary and this is when the information breach is not likely to pose a threat to “rights and freedoms of natural persons”. This will inevitably lead to a debate surrounding what actually is a breach of freedom and what necessitates a notification.

GDPR’s blanket appliance in every EU member state provides a standard that breeds predictability and efficiency. The time between now and May 25th, 2018 is the time needed to make the transition to compliance with GDPR. This is where Asystec comes in. Organisations needs to assess how they interact with personal data and Asystec can provide the structure to analyse these systems. Companies need to know how they should approach data protection under new GDPR legislation. With Asystec, companies can meet the criteria required of them and in turn, won’t have to fear large fines because of non-compliance. Asystec ensures that organisations will be prepared to comply with new GDPR legislation when May 25th, 2018 comes. Change and improvement is imminent under GDPR; institutions need to take informed steps toward safeguarding themselves and their customers. Asystec can help you realise what these steps are, taking you and your company toward GDPR compliance.