Security Incident Notification under the EU’s GDPR


The enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law since the adoption of the 1995 Directive. Unlike the Directive, which was silent on the issue of data breaches, the GDPR contains a definition of “personal data breach,” and notification requirements to both the supervisory authority and affected data subjects.

The GDPR puts stress on a number of core data protection principles and includes provisions relating to fair, lawful, and transparent data processing; data minimization and purpose limitation; data integrity and accuracy; specific data retention periods; increased data security; and accountability associated with the practices of data controllers and processors.

Among the key operational impacts of the GDPR is a new “personal data breach” notification obligation, the first EU-wide requirement to notify supervisory authorities and affected individuals of security incidents. The obligations are placed in a number of provisions in GDPR.

Breach Notification Requirement

Regarding breach notifications, the most important provision is Article 33 of the GDPR.

Article 33

Notification of a personal data breach to the supervisory authority

  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
  2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
  3. The notification referred to in paragraph 1 shall at least:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) describe the likely consequences of the personal data breach;

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

  1. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  2. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.


It obliges data controllers to notify the competent supervisory authority of a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data” (As defined in Article 4) “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” However, the obligations for the data controllers don’t end with the notification. They must further document the breach response process, including discovery, investigation, notification, and the likely consequences of the incident, and remediation and mitigation steps that the organization has taken or will take. Moreover, this documentation may be requested by data protection authorities to verify compliance.

Following the logic, it is essential to define what personal data really means in case of a breach. “Personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The GDPR definition of “personal data” is broad: any information that can be directly or indirectly related to an identified or identifiable natural person. Under the GDPR, “personal data” explicitly includes online identifiers and location data, so IP addresses and mobile device unique identifiers are within its scope.

However, in order to be specific, the notification obligation is not absolute. The potential risk of harm to affected individuals is relevant to the analysis. With respect to notifying the authorities, the requirement applies “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” This clarification  comes from Article 34 where it is explained that notification of data subjects is required only if the personal data breach “is likely to result in a high risk to the rights and freedoms of natural persons.” An exception to the notification requirement may apply if, for example, the data controller has implemented appropriate measures to protect the personal data so that it would be “unintelligible” to unauthorized parties (e.g., through encryption), or if the controller took steps subsequent to the incident to ensure that risks to individuals were not likely to materialize.


Unlike the1995 Directive, GDPR provides an obligation for harmonisation of data breaches (which is only natural after those breaches are reported to the relevant authorities in the member state). The GDPR’s uniform application across EU member states should at least provide predictability and thus efficiency to controllers and processors seeking to establish compliant data security regimes and breach notification procedures across the entirety of the 28 member states. Nonetheless, the GDPR’s reference to a “competent supervisory authority” suggests  that notifications may need to be made to more than one supervisory authority depending on the circumstances, and the ambiguity of a number of terms such as “undue delay”, “likelihood of risk to rights and freedoms” and “disproportionate effort” all remain to be further clarified and defined in practice.

How does this happen practice?

The answer is actually very simple – companies and organisation need to put relevant policies and procedures in place. Organisations that already have robust incident response policies and procedures in place (for example those operating in the USA, where notifications for breaches of data have been in force for quite some time) may just need to update those materials to comply with the new EU requirements. Companies that don’t have detailed data breach response plans should begin developing and implementing appropriate policies and procedures without undue delay.

However, multinational companies and organisations that fall into the scope of both the EU and US data protection regime may face a conundrum.  They have to notify EU authorities within 72 hours as required and be forced to “rush” a notification in the USA, or they can follow the less-stringent timing requirements applicable in the USA and risk noncompliance with the GDPR. Careful consideration and thorough planning, including strategy and exercise sessions, can help companies develop a coherent, defensible approach to decision-making that will protect individuals and satisfy regulators in the event of an incident.

If you still might need help in understanding how you can notify the right people, the right way in case of a data breach, might we suggest GDPR Toolkit? A complete set of informational materials and template documents, designed to guide you through your journey towards compliance with GDPR.

19 thoughts on “Security Incident Notification under the EU’s GDPR

Leave a Reply

Your email address will not be published.