Breach Notification

Summary of Breach Notification Form Changes

Overview of the upcoming new breach notification web-forms

  As part of the rollout of the DPC’s new case management system an automated response will now immediately issue to any breach notifications submitted by data controllers. This automated reply will contain a DPC reference which should be quoted in full and unaltered in any reply to ensure that it is properly associated with the correct case file. The case reference provided by the DPC will appear different to the “BN” format previously used, the new case references are prefixed with DPC for example DPC0601123456, any controller side internal reference will not be included in the DPC automated reply so the DPC would recommend that you track any breach notification submissions which you make and match them to the automated reply which you will immediately receive.

From 25 May 2018, the General Data Protection Regulation (GDPR) introduces a requirement for organisations to report personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals. Organisations must do this within 72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to the affected individuals, organisations must also inform those individuals without undue delay.

Please see guidance below in relation to notifying this office of a breach. Please note the separate reporting requirements that are applicable to providers of publicly available electronic communications networks or services, under the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011).

To facilitate decision-making and determine whether or not your organisation needs to notify the relevant supervisory authority and affected individuals, you should have a high-quality risk management process and robust breach detection, investigation and reporting processes.

  Please note even where you determine there is no risk to affected individuals following a personal data breach, you need to keep an internal record of the details, the means for deciding there was no risk, who decided there was no risk, and the risk rating that was recorded.

Initial notification of a breach

  • All breach notifications must be notified using the 'Breach Notification Form'.
  • All cross-border personal data breaches must be indicated as being cross-border on the relevant section of the form.
    Cross-border processing means either:
    • Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of an organisation; or
    • Processing of personal data which takes place in the context of the activities of a single establishment of an organisation that substantially affects or is likely to substantially affect data subjects in more than one Member State.
  • Note for providers of publicly available electronic communications networks or services: Because the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011) place specific obligations on providers of publicly available electronic communications networks or services to safeguard the security of their services, to report a breach on behalf of any organisation in this sector, please complete our Telecoms/ISP providers Data Security Breach Notification Form.
  • In the subject line of the email please include the following information:
    • Whether the breach you wish to notify DPC of is 'new' or an 'update' to a previous breach notification;
    • Your organisation name; and
    • Your self-declared risk rating for the breach.

  An example of an email subject line is provided below:
Subject: New Breach Report, [organisation name], High Risk

Self-Declared Risk Rating

In determining how serious you consider the breach to be for affected individuals, you should take into account the impact the breach could potentially have on individuals whose data has been exposed. In assessing this potential impact you should consider the nature of the breach, the cause of the breach, the type of data exposed, mitigating factors in place, and whether the personal data of vulnerable individuals has been exposed. The levels of risk are further defined below:

  • Low Risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal.
  • Medium Risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial.
  • High Risk: The breach may have a considerable impact on affected individuals.
  • Severe Risk: The breach may have a critical, extensive or dangerous impact on affected individuals.

Updating an existing notification

  • If your notification was incomplete for any reason, you should submit further information when it becomes available. In this case, please submit a new version of the appropriate form with the relevant fields of the form completed.
  • For updated notifications please include the following information in the subject line of the email:
    • Updated Breach Notification;
    • Organisation Name; and
    • DPC reference number (if one has been provided).

  An example of an email subject line is provided below:
Subject: Update Breach Report, [Organisation Name], [Reference Number], High Risk

  Please do not include the personal information of affected individuals in your notification.

Further Information

Summary of Breach Notification Form Changes

Overview of the upcoming new breach notification web-forms

A quick Guide to GDPR Breach Notifications

A Practical Guide to Personal Data Breach Notifications under the GDPR

Data Breach Trends from the First Year of the GDPR