Overview of the upcoming new breach notification web-forms

The DPC has carried out a review of the breach web-forms currently being used by data controllers to notify personal data breaches in accordance with Article 33 of the GDPR and Section 86 of the Data Protection Act 2018. On foot of this review, data controllers will be required in the coming weeks to use a revised web-form.

The purpose of the revised breach web-form is:   

• To improve ease-of-use for data controllers.
• To streamline the method of notifying “cross-border” personal data breaches and “national” personal data breaches into a single channel.
• To reduce common errors or misunderstandings when breach web-forms are submitted.
• To take into consideration observations and issues previously raised by data controllers.
• To expand the questions that are asked in order to reduce the requirement for the DPC to issue follow-up enquiries to data controllers.

Below are highlights of the changes that are being introduced to the breach notification web-form:

• The addition of introductory “screening” questions to assist data controllers in determining whether a breach notification is required to be made and to reduce the risk of the breach notification web-form being used in error by individuals seeking to raise a concern regarding their own personal data.
• The “national” and “cross-border” breach web-forms are combined into a single form, which brings users through the information required to assess whether the breach relates to cross-border processing and whether the DPC or another supervisory authority is competent with respect to the breach.
• Options that are more detailed will be presented to users when selecting the type, nature and cause of the incident and the types of data involved and more guidance is provided regarding the type of information being sought by the breach web-form. This should reduce the need for follow-up clarification questions being issued by the DPC to the data controller. The new questions will also bring the breach web-form more in line with breach notification forms used by other EU supervisory authorities, facilitating the notification of personal data breaches by data controllers who interact with multiple EU supervisory authorities.
• Character limits have been increased for fields requiring expansive answers

Data controllers should continue to consult the DPC’s guidance on personal data breach notifications in order to ensure full compliance with their obligations under Article 33 of the GDPR and section 86 of the Data Protection Act 2018.

Providers of electronic communications services and networks should continue to notify personal data breaches falling under S.I. 336 of 2011 using the dedicated breach notification web-form that is available here.

Please note that changes will also be forthcoming in relation to this form upon transposition of the European Electronic Communications Code into Irish law.