Breach Notification and Response
A GDPR data breach is broad, covering destruction, loss, alteration, or unauthorized disclosure/access. Controllers must notify the DPA within 72 hours where feasible; processors notify controllers without undue delay; affected subjects are told when there is a high risk.
The GDPR defines a Data breach (GDPR) as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Because personal data is so broadly defined, the concept of a breach is broader under the GDPR than under most U.S. laws.
| Who notifies | Recipient | Timing / trigger |
|---|---|---|
| Controller | Relevant DPA | Within 72 hours of becoming aware, where feasible; explain any delay |
| Processor | Controller | Without undue delay after discovering a breach |
| Controller | Affected data subjects | Without undue delay when the breach is likely to result in high risk to rights and freedoms |
A controller need not notify the DPA if the breach is unlikely to result in a risk to individuals - but must still document the breach. Notice to subjects is not required when the data is protected (e.g., encrypted), the controller took steps to prevent harm (e.g., suspended accounts), or notice would be disproportionate (then a public notice is used instead).