What to do in case of Breach of personal data?
Article 33 of the GDPR mandates the Controller of the personal data to notify the Supervisory authority in case of breach of personal data. It is mandatory to notify the same as soon as possible, without undue delay and where feasible not later than 72 hours after being aware of such data breach unless such breach is unlikely to result in a risk to the rights and freedom of natural persons. In case the notification is communicated to the supervisory authority after 72 hours then such notification shall be accompanied with the reasons for the delay.
Subsequently, the processor must also notify the controller without undue delay about the breach of personal data.
The notification as repetitively referred under article 33 must contain the following details-
- Description of nature of personal data showing the categories and approximate number of data subjects concerned and categories and approximate number of personal data records concerned;
- Communicate the name and contact details of the data protection officer or other contact point from where more information can be obtained;
- Describe the expected consequences of such breach;
- Describe the measures taken or proposed to be taken by the controller in order to address the personal data breach such as measures to mitigate the possible adverse effects.
The above mentioned details if not provided at the same time, the information may be provided in phases without undue further delay.
It further provides to document each data breach mentioning the facts related to such breach, its effect and remedial action taken. The purpose of such documentation is to enable the supervisory authority to verify the compliance of GDPR.
Picture Credit-https://www.termsfeed.com/