Quick guide: How do you notify the Supervisory Authority (SA) of a breach? Posted by John on 13 October 2017

Quick guide: How do you notify the Supervisory Authority (SA) of a breach?

If the appropriate technical and organisation protection measures have been taken to make the personal data unintelligible to any person who is not authorised to access it, such as encryption, there is no obligation to notify the data subject of the breach.

If not, then you must contact the individual with:

Unless the individual notification would involve disproportional effort, in which case the controller can consider a public communication or advertisement.

The SA may consider an incident to have created a substantial risk where the DC does not, in this case the SA may require the DC to contact the affected data subjects once they have evaluated the details of the circumstances.

For more information on how to report a breach, visit: https://ico.org.uk/for-organisations/report-a-breach/