GDPR: When to report a Personal Data Breach
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

GDPR: When to report a Personal Data Breach

In the first month since the GDPR became enforceable, data breach self-reporting is up 500%

Even before the European Union’s General Data Protection Regulation (GDPR) became enforceable on May 25th, the words “personal data breach” were enough to send shivers down to the spines of CIOs and CISOs the world over. While the public seems to be growing numb to the torrent of data breach news and notifications that have been coming their way (5,027 breaches compromising over 7.8 billion records in 2017), security professionals – especially corporate ones – are more sensitive than ever to the dangers of a personal data breach.

Personal Data Breach

And now with the GDPR enforceable, in addition to the potential loss of business and damage to reputation that could occur, there is also potential for steep fines, potentially up to €20,000,000 or 4% of total international revenue.

That in turn has led to a major spike in self-reporting in the first month of GDPR enforcement, with 1,792 breaches self-reported to the UK Information Comissioner’s Office (the UK’s Data Protection Authority) in June of 2018. That’s compared to just 367 breaches reported in April, the last full month before the GDPR went into effect.

However, in a recent webinar, the ICO’s head of Data Breach Reporting, Laura Middleton, cautioned that: “not every personal data breach needs to be reported. So controllers should assess the likelihood and severity of risk to individuals before making that decision to report.”

So that’s what we’re going to cover today: under the GDPR, what constitutes a personal data breach and when should you report one?

Let’s hash it out.

Under the GDPR, what is a Data Breach?

In many ways, the term “Data Breach” is probably not a broad enough descriptor. Just like with many American laws, the legal definition and the popular definition differ. For the sake of the GDPR, Personal Data Breach covers a range of data incidents, everything from accidental disclosure to deletion to an actual breach of security where information is stolen. Here’s the official GDPR definition in Article 4(12):

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Let’s break that down a little bit. A breach of security in this sense doesn’t have to be an attacker fighting through your defenses. A breach of security can occur as a result of something as simple as an employee’s mistake or a database error. The more important portion of this definition is the back half, which is fairly broad. And that’s likely led to some over-reporting, where incidents that didn’t rise to the level of needing to be reported were still documented with the ICO out of a sense of caution.

But for the sake of clarity, let’s define a GDPR personal data breach in our own laymen’s terms.

A personal data breach occurs anytime, whether by accident or an act of malice by an attacker, a customer’s data is inadvertently destroyed, lost, altered or disclosed to the wrong party.

Now, let’s talk about what your responsibilities are for reporting a data breach under the GDPR.

You have 72 hours to report a personal data breach after it’s discovered

This is the biggest thing that you need to be aware of as you investigate any data incident and make a determination on reporting: you have 72 hours from the time you discover the issue. Now, with a true breach the average time it takes a company to detect it usually around 190 days. Some of the other data incidents that roll up under the GDPR’s “Personal Data Breach” definition may take considerably less time to diagnose. Regardless of how long it takes for the problem to present itself, once it’s been discovered you need to document that down to the minute and from there you have three days to decide what you need to do.

Here’s how the GDPR lays out your responsibility in Article 33(1):

1In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

As you can see from the definition, your company or organization is faced with a decision regarding the severity of the incident. And much like with determining your “legitimate interests,” the GDPR is essentially asking you to perform an analysis that weighs the risk to the rights of the data subject.

To figure that out you’re going to need to answer some questions, and it would be a good idea to document these as part of your investigation.

  • What Happened? What kind of incident was this, did you leave an AWS bucket with all of your users financial data protected or did you just send the wrong customer the wrong email?
  • How many people were affected? Is this a large-scale breach or is it limited to just a handful of people. Most literature around GDPR puts the cut off for “large-scale” at 500 data subjects.
  • What personal data was compromised? Is this just a customer’s name and email address? Or is it more sensitive data like financial information or special categories of personal data?
  • What is the risk to the affected data subjects? Worst case scenario, what could be done with this information to harm the data subject either financially, materially or reputationally?
  • What caused this situation? Was it an attacker exploiting your security? Was this a technical mistake? Human error?
  • How easily can this issue be remediated? Will this take months to fix or is this just a simple tweak? When will you be able to accomplish this?

If you can answer those questions, you should be able to weigh what risks this personal data breach could pose to those affected and whether or not this incident rises to the level of reporting.

When is Reporting a Personal Data Breach not necessary?

Personal Data Breach

That’s a decision that is entirely yours, one that should be made after considering all of the possible information regarding cause, size and scope. It would be irresponsible to make categorical suggestions here. But it should be pretty obvious once you investigate. Some of it also comes down to how cautious you want to be given the sizable penalties associated with messing this up.

It all comes down to the risk posed to the data subject(s). If the breach is small, limited to a single data subject, and doesn’t include passwords or financial data, you may be fine just documenting the situation and not reporting it. Or you might want to just play it safe and report it to your Data Protection Authority, anway.

Regardless, you need to be documenting everything. And if you decide not to report an incident, make sure you document why you chose not to, including an exaplanation of why you don’t feel this poses a significant risk to the data subject.

What information should be included in a breach notification?

Your breach notification is going to need to include all of the following information:

  • A description of the personal data breach, including the categories and number of data subjects involved, as well as the types and quantity of records compromised.
  • A name and contact information for either your registered Data Protection Officer or the individual heading up the investigation, someone who can be contacted for information.
  • A description of the possible (and most likely) consequences of the compromise.
  • A description of your investigation and any measures you have taken or will be taking to remediate the issue.

If you don’t have all of the information within the first 72 hours (when you are required to report), it can be provided in phases, as it becomes available, provided this is done in haste.

Remember, transparency is important. If your supervisory authority doesn’t think you’re acting in good faith you will be penalized. So don’t try to be sneaky or hide anything. Most Data Protection Authorities, at least at this point – early on in the GDPR enforcement period – have shown a willingness to work with companies and not be overly punitive. They’re not trying to be adversarial, they’re just trying to make sure that peoples’ rights are respected.

Who is my Data Protection Authority?

Personal Data Breach

Your relevant Data Protection Authority varies by country and region. This is probably something you should have already figured out, but in the event you need a refresher, here’s a list of Data Protection Authority by country:

For the United States, your Data Protection Authority is either the Department of Transportation of the Federal Trade Commission. You can check out the rest of the DPAs below:

United States

Federal Trade Commission

600 Pennsylvania Avenue, NW
Washington, DC 20580
Telephone: (202) 326-2222

Personal Data Breach

Department of Transportation

1200 New Jersey Ave, SE
Washington, DC 20590

Telephone: (202) 366-4000



Österreichische Datenschutzbehörde

Hohenstaufengasse 3
1010 Wien
Tel. +43 1 531 15 202525
Fax +43 1 531 15 202690


Commission de la protection de la vie privée

Commissie voor de bescherming van de persoonlijke levenssfeer
Rue de la Presse 35 / Drukpersstraat 35
1000 Bruxelles / 1000 Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35


Commission for Personal Data Protection

2, Prof. Tsvetan Lazarov blvd.
Sofia 1592
Tel. +359 2 915 3580
Fax +359 2 915 3525


Croatian Personal Data Protection Agency

Martićeva 14
10000 Zagreb
Tel. +385 1 4609 000
Fax +385 1 4609 099 or


Commissioner for Personal Data Protection

1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565

Czech Republic

The Office for Personal Data Protection

Urad pro ochranu osobnich udaju
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444



Borgergade 28, 5
1300 Copenhagen K
Tel. +45 33 1932 00
Fax +45 33 19 32 18


Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

Väike-Ameerika 19
10129 Tallinn
Tel. +372 6274 135
Fax +372 6274 137


Office of the Data Protection Ombudsman

P.O. Box 315
FIN-00181 Helsinki
Tel. +358 10 3666 700
Fax +358 10 3666 735


Commission Nationale de l’Informatique et des Libertés – CNIL

8 rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00


Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit

Husarenstraße 30
53117 Bonn
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
Germany splits complaints between different agencies:


Hellenic Data Protection Authority

Kifisias Av. 1-3, PC 11523
Ampelokipi Athens
Tel. +30 210 6475 600
Fax +30 210 6475 628


National Authority for Data Protection and Freedom of Information

Szilágyi Erzsébet fasor 22/C
H-1125 Budapest
Tel. +36 1 3911 400


Data Protection Commissioner

Canal House
Station Road
Co. Laois
Lo-Call: 1890 25 22 31
Tel. +353 57 868 4800
Fax +353 57 868 4757


Garante per la protezione dei dati personali

Piazza di Monte Citorio, 121
00186 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785


Data State Inspectorate

Director: Ms Daiga Avdejanova
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131
Fax +371 6722 3556


State Data Protection

Žygimantų str. 11-6a
011042 Vilnius
Tel. + 370 5 279 14 45
Fax +370 5 261 94 94


Commission Nationale pour la Protection des Données

1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
Tel. +352 2610 60 1
Fax +352 2610 60 29


Office of the Data Protection Commissioner

Data Protection Commissioner: Mr Joseph Ebejer
2, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100
Fax +356 2328 7198


Autoriteit Persoonsgegevens

Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501


The Bureau of the Inspector General for the Protection of Personal Data – GIODO

ul. Stawki 2
00-193 Warsaw
Tel. +48 22 53 10 440
Fax +48 22 53 10 441;


Comissão Nacional de Protecção de Dados – CNPD

R. de São. Bento, 148-3°
1200-821 Lisboa
Tel. +351 21 392 84 00
Fax +351 21 397 68 32


The National Supervisory Authority for Personal Data Processing

President: Mrs Ancuţa Gianina Opre
B-dul Magheru 28-30
Tel. +40 21 252 5599
Fax +40 21 252 5757


Office for Personal Data Protection of the Slovak Republic

Hraničná 12
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34


Information Commissioner

Ms Mojca Prelesnik
Zaloška 59
1000 Ljubljana
Tel. +386 1 230 9730
Fax +386 1 230 9778


Agencia de Protección de Datos

C/Jorge Juan, 6
28001 Madrid
Tel. +34 91399 6200
Fax +34 91455 5699



Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652

United Kingdom

The Information Commissioner’s Office

Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1625 545 745



Icelandic Data Protection Agency

Rauðarárstíg 10
105 Reykjavík
Tel. +354 510 9600; Fax +354 510 9606


Data Protection Office

Kirchstrasse 8, P.O. Box 684
9490 Vaduz
Principality of Liechtenstein
Tel. +423 236 6090



The Data Inspectorate
P.O. Box 8177 Dep
0034 Oslo
Tel. +47 22 39 69 00; Fax +47 22 42 23 50


Data Protection and Information Commissioner of Switzerland

Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
Mr Adrian Lobsiger
Feldeggweg 1
3003 Bern
Tel. +41 58 462 43 95; Fax +41 58 462 99 96

Check out the rest of the Hashed Out GDPR Compliance Series


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.