Summary of Breach Notification Form Changes
05th November 2021
Further to our communication regarding the changes relating to the breach notification form, we would like to provide further information on the requirements of the new form. To assist Data Controllers to prepare for same, the following information is being provided.
The new Webform is divided into sections which you can navigate back and forth between, as you progress through the form, consisting of:
Section 1: Introductory questions – in line with proposed guidance relating to risk assessment, questions are posed to ensure that the breach is due to be reported
Section 2: Your Supervisory Authority – questions relating to cross border matters
Section 3: About You – details to be provided regarding the person completing the form
Section 4: Timeline of the incident
Section 5: Details of the breach
Section 6: About the Data Subjects
Section 7: Action taken (Before/ After)
Section 8: Communication to data subjects
Sections 9: Upload supporting documents & submit
Section 10: Mandatory declarations
SUMMARY OF BREACH NOTIFICATION FORM CHANGES
Section 1 - Introductory questions
- The current breach notification form asks whether the user is notifying a breach as a controller or a processor and whether the user wishes to make a new breach notification or update a previous breach notification.
- In the new form, users will also be required to confirm whether the breach is likely to result in a risk to the rights and freedoms of natural persons (i.e. whether the breach reaches the risk threshold for notification) and whether the breach falls under the Law Enforcement Directive.
Section 2 – Your Supervisory Authority
- The current breach notification form requires users to state whether or not the breach being notified involves cross-border processing. If so, the user will be required to state whether the DPC is their LSA and, if so, the basis for this assessment, as well as details of any other establishments in the EU the controller has. A separate cross-border breach notification form will no longer exist.
- The new form will guide users through a number of questions in order to determine whether the breach relates to cross-border processing and related questions including details of the controller’s establishments, location of affected data subjects and whether they are “substantially affected” and the nature of the DPC’s competence in relation to the subject matter of the breach notification.
Section 3 – About You
Data controller details
- The current breach notification form asks users to state whether the controller is a public or private sector organisation.
- The new form will also require users to classify the industry sub-sector in which the controller operates according to Eurostat NACE criteria (a drop-down menu and link to Eurostat guidance is provided, see page 325: https://ec.europa.eu/eurostat/documents/3859598/5902521/KS-RA-07-015-EN.PDF.pdf/dd5443f5-b886-40e4-920d-9df03590ff91?t=1414781457000).
Contact person details
- The current breach notification form asks users to provide a contact person’s name and contact details (in the cross-border form) or the notifying person’s name and contact details and the DPO’s name and contact details (in the national form).
- The new form will require users to also specify whether the notifying person or the DPO is the designated contact person for the DPC in relation to the breach notification.
Section 5 – Details of the Breach
Nature of breach
- The new form includes more detailed options for the nature of the breach.
Types of data
- The new form includes more detailed options for the types of data affected by the breach.
Section 6 – About the Data Subjects
Number of data subjects/data records affected
- The current breach notification form asks users to include an actual or approximate number of data subjects and data records affected by the breach, unless the number is unknown.
- The new form permits users to choose the approximate numbers from bands (i.e. 1-10, 11-100 etc.).
Section 7 – Action Taken
Technical/organisational security measures
- The current breach notification form asks users to describe the technical and organisational security measures in place prior to the breach and any deficiencies identified, as well as the mitigating measures taken in response to the breach.
- The new form requires users to include additional details of technical and organisational security measures including:
- measures in place prior to the breach occurring
- deficiencies identified
- measures taken or to be taken to mitigate the impact of the breach on affected data subjects
- measures put in place in order to reduce the likelihood of re-occurrence
Section 8 - Communication to affected data subjects
- If the controller has used a public communication to inform affected data subjects of the breach, the new form requires the controller to explain why it would have involved disproportionate effort to notify data subjects individually.
Section 9 – Upload supporting documents
- If controllers wish to provide any further information or supporting documentation, the documents can be attached at this point.
Section 10 – Mandatory Declarations
- Controllers will be required to declare the understanding any information provided in the breach notification may be shared by the Data Protection Commission as required for the purpose of fulfilling its tasks under the General Data Protection Regulation and/or the Data Protection Act 2018, including, where appropriate, with the data protection supervisory authorities of EU/EEA Member States.
- Controllers will be required to declare the understanding that any information provided in the breach notification may be utilised at a future date in relation to an inquiry, as set out in section 110 of the Data Protection Act 2018, that the DPC may decide to undertake at a future date.