×

 
GDPR:
 
 
January 10, 2020

GDPR: Security Breach Notification Management

The GDPR stipulates the timeframes for notifying supervisory authorities and data subjects in the event of a personal data breach, as well as the requirements regarding the details that are necessary to be provided in such circumstances. Organisations should assess and ensure that the mechanisms in place enable accurate and timely responses in accordance with the GDPR, and Cyprus law.

In accordance with Article 33 (Notification of a personal data breach to the supervisory authority) of the EU General Data Protection Regulation (“GDPR”), inter alia, in the case of a personal data breach, the Controller should without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the [national] supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it should be accompanied by reasons for the delay.

Furthermore, the Processor should notify the Controller without undue delay after becoming aware of a personal data breach..

Therefore, organisations should, among other things, implement:
  • security breach response plan including a protocol for notifying the Office of the Commissioner for Personal Data Protection
  • security breach response team
  • data breach response and notification procedures to meet 72 hour deadlines in respect of notifications to the Office of the Commissioner for Personal Data Protection
  • data breach response procedures to evaluate situations exposing data subjects to high risk and procedures to enable notifications to be made to data subjects “without undue delay” in such circumstances
  • documentation and template breach notification letters
  • mock data breaches
  • personal data breach register and log
Specifically, the relevant personal data breach Notification should, at least:
  • describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
  • communicate the name and contact details of the Data Protection Officer or other contact point where more information can be obtained
  • describe the likely consequences of the personal data breach
  • describe the measures taken or proposed to be taken by the Controller to address the personal data breach
  • including, where appropriate, measures to mitigate its possible adverse effects
Data subject notices must also comply with the data subject communication requirements in Article 12 of the GDPR.

It is noteworthy that where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

Importantly, the Controller should document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. Such documentation should enable the supervisory authority to verify compliance with the GDPR.

Moreover, in accordance with Section 12 (Derogation in relation to the communication of a data breach) of the Cyprus Law providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data (Law 125(I)/2018) (“Law”), inter alia, a Controller may be exempt from the obligation to communicate a personal data breach to the data subject, wholly or partly, for one or more of the purposes referred to in Article 23 of the GDPR. Once again, the aforesaid exemption to the obligation to communicate a personal data breach requires carrying out an impact assessment and prior consultation with the Commissioner. The Commissioner may impose to the controller terms and conditions for the aforesaid exemption.
 
 
 
 
 

K. A. Kourtellos & Co LLC is regulated by the Cyprus Bar Association
 
Copyright © 2020-2023 K. A. Kourtellos & Co LLC. All rights reserved.