Skip to content
Schedule a Call
Call Now

Reporting a Data Breach – When & How?

Article by Tsaaro

7 min read

A data breach occurs when the data for which my organization/ company is responsible suffers a security incident resulting in a breach of confidentiality, availability, or integrity. If my company or organization is a data processor, it is required to notify the data controller of any data breach. Unless there are strong technological and organizational protection measures in place or other measures that demonstrate that the danger is no longer likely to materialize, if the data breach poses a high risk to people impacted, they should all be informed. To avoid probable data breaches, it is critical for an organization to establish proper technical and organizational procedures.

Provisions under the GDPR for reporting a Data Breach

GDPR is a broad set of data privacy rules that define how an organization must handle and protect the personal data of the organization’s employees and users. The regulation also outlines the way that organizations can report a data breach. The procedures for breach notification are outlined in Articles 33 and 34 of GDPR, however, most organizations are still uninformed of their obligations. Businesses frequently miss details such as what an organization should notify, when it should report it, to whom it should be reported, and what should be included in the breach notification. Significant fines may be imposed as a result of this negligence.

In the event of a data breach, the firm has many critical responsibilities as a Data Controller, including taking necessary actions and alerting concerned authorities and affected persons. Let’s start with a definition of a personal data breach, as defined by the GDPR Regulation.

What is a Personal Data Breach?

“Personal data,” as defined by GDPR, is any information about a natural person, such as their name, contact information, or health records, as well as comparable identifying information. A data breach occurs when personal data is accidentally or unlawfully destroyed, lost, altered, unauthorized disclosed, or accessed. When an unauthorized person or a cyber-criminal gains access to an organization’s database, whether by incursion or through the negligence of an employee managing sensitive personal data, a data breach occurs. GDPR frames a personal data breach as an incident that eventually results in the accidental loss or destruction of data or the unauthorized disclosure, alteration, or access to personal data of EU citizens.

Timeline for reporting a Data Breach

While it is important that the data breach incident be reported, it is also essential for organizations to understand that not all information security incidents are classified as personal data breaches. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, my organization has to notify the supervisory authority without undue delay and at the latest within 72 hours after having become aware of the breach. 

Who should be notified about the Data Breach?

Once a personal data breach has been found, companies must report the breach to the appropriate supervisory body in line with Chapter 6 of GDPR. According to GDPR, if a company does not have a legally established presence in the EU but yet has an event involving EU citizen data, it must notify the local regulatory authorities of each Member State in which it operates and is affected by the incident.

The organization must also notify all impacted individuals after alerting the supervisory authority. They should, at the absolute least, make a statement informing them that an incident has occurred. Although it is not expressly stated in the law, an organization can exhibit greater transparency by creating a website and a toll-free hotline for individuals to contact in order to learn more about the incident and have their questions answered.

Contents of a Data Breach Notification under the GDDPR

While the organization must notify the relevant supervisory authority and the affected individuals, it is also important to include necessary information concerning the data breach incident. Some of the details that should be included in the data breach notification include:

  1. When the breach incident occurred and how it was discovered.
  2. The categories or types of personal data that were affected.
  3. The severity of the breach both in terms of records lost and the number of people affected.
  4. The potential impact of the breach on data subjects.
  5. The impact to the organization in terms of services provided to users.
  6. Recovery time from the impact of the data breach.
  7. Measures are taken to remediate and prevent such an incident in the future.
  8. Name and contact details of the Data Protection Officer (DPO) for obtaining further information about the breach incident.

Steps to be taken in case of a Personal Data Breach

  1. SECURE OPERATIONS
    a. You must act immediately to secure your systems and to address any vulnerabilities that may have contributed to the incident. Only several data breaches are worse than a single data breach. Take steps to prevent it from happening again.
    b. Secure any physical areas that may have been affected by the breach. If necessary, lock them and alter the access codes, and consult forensic experts, and law enforcement to determine whether it is safe to restart normal operations.
    c. To avoid further data loss, immediately mobilise your breach response team. The specific procedures to take will be determined by the nature of the breach as well as the structure of my company.
    d. Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and nature of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.
  2. FIX VULNERABILITIES
    a. Network segmentation is required. When building your network, you probably segregated it such that a compromise on one server or site wouldn’t result in a breach on another server or site. Analyze whether my segmentation plan was effective in containing the breach with the help of forensics experts.
    b. Check to see if any security measures, such as encryption, were in place at the time of the intrusion. Examine any data that has been saved or backed up. Examine logs to see who had access to the data at the time the incident occurred. Also, look at who has access now, see if it’s necessary, and if it isn’t, limit access.
    c. Verify the types of information compromised, the number of people affected, and whether you have contact information for those people. When you get the forensic reports, take the recommended remedial measures as soon as possible. 
    d. Have a communications plan. Create a comprehensive plan that reaches all affected audiences — employees, customers, investors, business partners, and other stakeholders. Don’t make misleading statements about the breach. And don’t withhold key details that might help consumers protect themselves and their information. Also, don’t publicly share information that might put consumers at further risk.
    e. Anticipate questions that people will ask. Then, put top-tier questions and clear, plain-language answers on your website where they are easy to find. Good communication upfront can limit customers’ concerns and frustration, saving myr company time and money later.

Conclusion

Every firm must adhere to the GDPR’s Breach Notification regulations. While this does not mitigate the incident’s outcomes, it does help to mitigate the incident’s impact and escalation. It can be viewed as a solution for businesses to reduce the danger of personal data breaches.

Because regulators acknowledge that a thorough investigation of a personal data breach can’t be completed in 72 hours, Article 33(4) allows companies to release essential information in phases without undue delay. However, organizations must expedite the process, prioritize the inquiry, and provide further information as quickly as possible. If all of the details are not provided within 72 hours, the organization must provide a valid cause for the delay as well as a timeline for completion.

1,167 thoughts on “Reporting a Data Breach – When & How?”

  4. Luther

    Hello there! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my site
    to rank for some targeted keywords but I’m not seeing
    very good success. If you know of any please share.
    Cheers! I saw similar article here: Warm blankets

  383. xexudfizc

    Each product featured on our website has been meticulously researched and selected by our team of experts. If you sign up through our links, we may get a commission. Therefore, a lot of US bettors turn to international betting sites that are not regulated in the US. These sites offer a plethora of sports betting bonuses, and even take your valuable crypto. The US law may not state crypto betting is illegal, but there are no officially approved crypto gambling sites. Therefore, if you want to bet on NBA games using BTC, ETH, LTC, and various other cryptocurrencies, you will have to turn to international betting sites. Anyone looking to wager on NBA odds can do so on any modern phone or tablet that still receives routine updates as long as it is connected to the web and the gambler has money to risk on pro basketball betting. Chances are you’re reading this on an iPhone, iPad, or Android device now, so click any of the links above and watch it transform into a mobile sports betting application in nanoseconds.
    https://www.furaffinity.net/user/somaware1974
    Other AFC teams have a path, but their odds are considerably longer. The Jets’ Super Bowl odds surged after Aaron Rodgers’ trade from the Green Bay Packers. The Chargers (+2000) are also lurking as a hypothetical threat. All sportsbooks listed here at National Football Post offer odds to win the Super Bowl along with other NFL football betting futures. Check out our sportsbook review pages for information on the best sportsbooks available in your state. Many offer great signup bonuses and easy remote football wagering. Calculating payouts: Sports books pay winners based on the odds set at the time of the wager. But the odds are often expressed in a, well, odd way: as a positive or negative three-digit number. To figure out how much a winning bet will pay in addition to the amount bet, you have to convert that number into a decimal, then multiply it by the amount wagered.

Leave a Reply

Your email address will not be published. Required fields are marked *

Eu Ai act
First Rules of the EU AI Act Come into Effect: What Does it Mean?
Tsaaro Consulting

First Rules of the EU AI Act Come into Effect: What Does it Mean?

The evolving digital landscape in the 21st century have placed a challenge for governments and organizations as they attempt to …

March 7, 2025
Digital Personal Data Protection (DPDP) Act
Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023  
Tsaaro Consulting

Exemptions Under the Digital Personal Data Protection (DPDP) Act, 2023  

Introduction  The Digital Personal Data Protection (DPDP) Act, 2023, and the Digital Personal Data Protection Rules, 2025 establish a comprehensive …

February 27, 2025
cybersecurity,
WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 
Tsaaro Consulting

WHAT DRIVES CYBERSECURITY: A COMPREHENSIVE OVERVIEW 

In today’s interconnected world, cybersecurity plays a crucial role in protecting our digital lives. From protecting personal data to safeguarding …

February 21, 2025
Transfer Impact Assessments
Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 
Tsaaro Consulting

Understand Transfer Impact Assessments: Insights from CNIL’s Practical Guide 

Introduction  A Transfer Impact Assessment (TIA) is a critical evaluation conducted under the General Data Protection Regulation (GDPR) to assess …

February 20, 2025
Draft DPDP Rules
The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?
Tsaaro Consulting

The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India’s AI Start-Ups?

Introduction The Digital Personal Data Protection Act (DPDPA), 2023 and the Draft DPDP Rules, 2025 have ushered in a new …

February 12, 2025
Recent Comments

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

© 2024 Tsaaro Consulting. All rights reserved.
Linkedin Instagram Youtube

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands

Tsaaro Pune Office

Tech Centre, Rajiv Gandhi Infotech Park, Hinjewadi, Pune, Maharashtra

Tsaaro Noida Office

302, Tower C, ATS Bouquet, Noida Sector – 132, Uttar Pradesh, India

Tsaaro Bengaluru Office I

Manyata, Embassy Business Park, Outer Ring Road, Bengaluru, Karnataka

Tsaaro Bengaluru Office II

Second State, CMH Road, Indiranagar, Bengaluru, Karnataka

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.