GDPR Mandatory Data Breach Notification Requirements
All organisations in the European Union must report data breaches within 72 hours or face heavy fines under the EU’s General Data Protection Regulation (GDPR). The regulation requires organisations to notify the supervisory authority, which is usually the country’s data protection agency, of any data breaches that put people’s personal data at risk.
The GDPR applies to any organisation that processes or intends to process the personal data of individuals in the EU, regardless of whether the data is collected in the EU or not. This includes businesses, government agencies, nonprofits, and any other type of organisation.
Organisations that fail to comply with the GDPR’s data breach notification requirements can be fined up to 4% of their global annual revenue or €20 million (US $23.5 million), whichever is greater.
The GDPR requires organisations to notify the supervisory authority of any data breaches that put people’s personal data at risk. This includes any type of data that could be used to identify an individual, such as name, email address, physical address, IP address, phone number, or social media account.
The notification must be made within 72 hours of the organisation becoming aware of the data breach. If the data breach is likely to result in a high risk to the rights and freedoms of individuals, then the notification must also include a description of the likely consequences of the data breach.
Organisations are not required to notify the supervisory authority if the data breach is unlikely to result in a risk to the rights and freedoms of individuals. This determination must be made in consultation with a qualified security professional.
In addition to the GDPR, many countries have their own laws and regulations regarding data breaches and notifications. Organisations should consult with legal counsel to ensure they are in compliance with all applicable laws and regulations.