In this article, we’ll take you through the implications of these updated guidelines, talk about why you should implement robust data protection strategies, and how you can stay compliant.

But first, here’s a refresher on what GDPR is and why personal data breaches must be handled with the utmost care.

What is the GDPR?

The GDPR is a regulation that was adopted by the European Union in 2016, replacing the Data Protection Directive 95/46/EC. It provides a complete set of rules on personal data protection, outlining how companies can process personal data lawfully, transparently, and for a specific purpose.

What are the obligations to protect personal data under GDPR?

GDPR outlines several requirements for companies that handle personal data of EU residents. This includes:

• Data minimisation - Companies should identify the minimum amount of personal information they need for a specific purpose and collect only that amount. You should also only hold on to the information until the intended purpose is fulfilled. The information you collect should be adequate, relevant, and limited to what’s necessary.
• Privacy by design - Information security and privacy should be built into your company’s data systems. In other words, safeguarding and protecting information privacy should be any company's default mode of operation.
• Security measures - Companies are required to take appropriate technical and organisational measures to protect personal data. This involves encrypting personal data, setting up data protection controls, and ensuring data processing systems protect the integrity, confidentiality and accessibility of personal data.

Non-compliance with GDPR regulations puts you at risk for significant penalties where you may have to pay fines of up to €20 million or 4% of annual global turnover, whichever is higher.

However, even if you’ve set up the most robust controls and protections, there’s still a possibility of a data breach. This is where a personal data breach notification comes in.

What is a personal data breach under GDPR?

According to the GDPR, a data breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

The 2022 updated guidelines highlight that a personal data breach can also include incidents where personal data is accessed by someone who is not authorised. For example, through misdirected emails or unauthorised access to a database.

Personal data breaches can be divided into three categories:

• Confidentiality breach is when there is an unauthorised or accidental disclosure of or access to personal data.
• Integrity breach is when there is an unauthorised or accidental alteration of personal data.
• Availability breach is when there is an accidental or unauthorised loss of access or destruction of personal data.

Breaches can have major consequences for both individuals and companies, including financial loss, reputational damage, and legal consequences. To minimise this damage, companies need to notify supervisory authorities of a data breach as per the GDPR’s guidelines.

When and how must a company notify supervisory authorities of a data breach?

According to article 33(1) of the GDPR, companies must notify data breaches to supervisory authorities when feasible, but not later than 72 hours after becoming aware of the breach. This rule remains the same in the updated guidelines, but has improved clarity:

• A data breach notification must be made when the personal data breach is likely to lead to risks for rights and freedoms of individuals, not just in the scope of the GDPR but also beyond.
• If there is a data breach in the context of cross-border processing, the company based in the EU must notify its main supervisory authority according to article 56 of the GDPR. This means that the notification does not necessarily have to be made to the supervisory authorities where the affected data subjects are located. However, if the company is unsure about who the main supervisory authority is, it should still notify at least the supervisory authority(ies) where the breach occurred.
• In case of a data breach for non-EU companies who handle EU citizen data, the company must notify all the supervisory authorities of all member states whose citizens' data is affected. Companies that provide services to EU-based customers may have to notify up to 27 supervisory authorities separately. In the case of individuals in Germany, that could also include notifying each German federal state authority.

The updated guidelines also stress the importance of documenting personal data breaches. Companies should maintain detailed records of all breaches, including:

• The nature of the breach
• The categories of personal data involved
• The number of individuals affected, and
• The actions taken to address the breach

How can DataGuard help companies achieve GDPR compliance?

At DataGuard, we realise the severity of personal data breaches and the strain they place on individuals and companies.

Secure reporting channels are crucial to addressing internal issues without compromising the personal information of parties involved. As a business that processes personal data, you are obligated to establish systems that limit the risk of data breaches. Our ISO 27001 certified and GDPR compliant whistleblowing platform, EQS Integrity Line is the solution to this.

For everyday compliance, our Privacy-as-a-Service privacy platform acts as a single source of truth. With the best of human expertise and technology, it streamlines privacy tasks so you can remain GDPR compliant and continuously bolster your business’s approach to data privacy.

Our platforms are: 

• Encrypted to ensure whistleblower identity cannot be traced through technical means 

• Centralised so you can keep track of privacy measures and uphold accountability 
• Guided, every step of the way, with specialist advice from compliance experts 

Compliance is a journey, and our team of industry experts can help with yours. 

Conclusion

Data breaches can take a significant toll on your business – non-compliance fines can disrupt operations and cause serious reputational damage for years to come. For context, here’s a quick look at the data breach compensation amounts awarded to claimants. GDPR compliance isn’t a one-and-done deal – it is a continuous process to stay abreast of changing regulations. This is where DataGuard can help. Our team of 100+ experts in the fields of business, IT, and law, will guide you in achieving full compliance with the regulation.