Quick guide: How do you notify the Supervisory Authority (SA) of a breach?

  • John Ghent
 

Quick guide: How do you notify the Supervisory Authority (SA) of a breach?

  • Breach notification must be reported to the SA within 72 hours ‘without undue delay’. If longer, "reasonable justification" must be provided
  • You must provide a description of the nature of the personal data breach
  • The categories and approximate number of data subjects concerned must be detailed
  • The categories and approximate number of data records concerned must be provided
  • A description of the nature of the personal data breach is required
  • The name and contact details of the data protection officer and other contact point where more information can be obtained should be detailed
  • A description of the likely consequences of the personal data breach must be included
  • A description of the measures taken or proposed actions to be taken by the Data Controller (DC) to address the personal data breach, including where appropriate to mitigate its adverse effects must be provided

If the appropriate technical and organisation protection measures have been taken to make the personal data unintelligible to any person who is not authorised to access it, such as encryption, there is no obligation to notify the data subject of the breach.

If not, then you must contact the individual with:

  • A description of the nature of the personal data breach
  • The name and contact details of the data protection officer and other contact point where more information can be obtained
  • A description of the likely consequences of the personal data breach
  • A description of the measures taken or proposed actions to be taken by the controller to address the personal data breach, including where appropriate to mitigate its adverse effects

Unless the individual notification would involve disproportional effort, in which case the controller can consider a public communication or advertisement.

The SA may consider an incident to have created a substantial risk where the DC does not, in this case the SA may require the DC to contact the affected data subjects once they have evaluated the details of the circumstances.

For more information on how to report a breach, visit: https://ico.org.uk/for-organisations/report-a-breach/

Think you could use some help?

Give us a shout to see how PrivacyEngine can help you with your data protection needs.