Recital - 85.
Notification Obligation of Breaches to the Supervisory Authority
Executive Summary
If your organization experiences a data breach or data loss, you must disclose that to the SA within 72 hours of discovery.
Recital Text
A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymization, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.
Recital - 87.
Promptness of Reporting / Notification
Executive Summary
If your organization experiences a data breach or data loss, you must disclose that to the data subject "without undue delay". That is generally accepted to mean after the SA has completed their audit and law enforcement has authorised the release of data.
Recital Text
It should be ascertained whether all appropriate technological protection and organizational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.
Recital - 88.
Format and Procedures of the Notification
Executive Summary
If your organization experiences a data breach or data loss, you must disclose that to the data subject "without undue delay". That is generally accepted to mean after the SA has completed their audit and law enforcement has authorised the release of data.
Recital Text
In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse.Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.
Executive Summary
Processes should be put in place to regularly review log data from systems, network and security devices to identify any malicious activity within a timely manner. This can be done manually or with alerting tools such as log analyzers or a SIEM. Logs should be stored securely to avoid tampering of forensic data.
Article ID: 393
Created: September 27, 2022
Last Updated: September 27, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/gdpr-communication-of-a-personal-data-breach-to-the-data-subject-review-log-data-to-identify-security-events-393.html