GDPR

Chapter 4

Article 33

Compliance Guide

GDPR Article 33

Notification of a personal data breach to the supervisory authority

  • In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

  • The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

  • The notification referred to in paragraph 1 shall at least:

    • (a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

    • (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

    • (c) describe the likely consequences of the personal data breach;

    • (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

  • Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

  • The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

· GDPR Article 33 Compliance Guide

When a data breach occurs, Article 33 of the GDPR requires prompt and proper notification to supervisory authorities. Here's a practical framework to ensure your business can respond effectively within the tight 72-hour timeline.

Creating Your Breach Response Protocol

1. Establish a Detection System

Set up technical tools and train staff to identify potential breaches:

  • Implement intrusion detection systems

  • Configure alerting for unusual data access patterns

  • Create simple channels for staff to report suspicious activities

  • Monitor system logs for unauthorized access attempts

2. Form a Breach Response Team

Define clear roles and responsibilities:

  • Incident Lead: Coordinates the overall response

  • Technical Investigator: Determines breach scope and cause

  • Legal Advisor: Assesses legal obligations

  • Communications Manager: Prepares notifications

  • Remediation Manager: Implements corrective measures

3. Create Notification Templates

Develop pre-approved templates containing:

  • Company details and DPO contact information

  • Structured sections for required information

  • Placeholders for breach-specific details

  • Format aligned with your supervisory authority's preferences

4. Design a 72-Hour Action Plan

Break down the timeline into manageable phases:

  • 0-24 hours: Detect, contain, initial assessment

  • 24-48 hours: Complete investigation, impact assessment

  • 48-72 hours: Final review and notification submission

Executing the Response

Step 1: Initial Assessment (0-24 hours)

Upon breach detection:

  • Contain the breach to prevent further data exposure

  • Collect preliminary information about affected systems

  • Make an initial risk assessment

  • Alert key team members

  • Document discovery time to establish the 72-hour deadline

Step 2: Investigation & Documentation (24-48 hours)

Gather the information required for notification:

  • Categories and approximate number of affected data subjects

  • Types and approximate volume of compromised records

  • Technical circumstances of the breach

  • Potential consequences for individuals

  • Document all findings in a breach log

Step 3: Notification Preparation (48-72 hours)

Compile a compliant notification that includes:

  • Clear description of the breach nature

  • DPO or alternative contact details

  • Assessment of likely consequences

  • Measures taken to address and mitigate the breach

  • Timeline for providing additional information if not all details are available

Step 4: Submission

Submit the notification through the appropriate channel:

  • Use your supervisory authority's preferred method (online portal, email)

  • Keep proof of submission

  • Prepare for follow-up questions

Practical Risk Assessment Framework

Develop a simple scoring system to assess if notification is required:

  1. Data sensitivity (1-5)

  2. Volume of affected records (1-5)

  3. Ease of identifying individuals (1-5)

  4. Potential for harm (1-5)

  5. Containment status (1-5)

Total score above 15 generally indicates notification is required.

Documentation Requirements

Maintain a breach register containing:

  • Date and time of breach discovery

  • Breach details and scope

  • Risk assessment results

  • Notification decision rationale

  • Copy of submitted notification

  • Details of remedial actions

  • Lessons learned

‹ Article 32

Security of processing

Article 34 ›

Communication of a personal data breach to the data subject

GDPR

GDPR Hub

CCPA/CPRA

CCPA/CPRA Hub

Take It Down

AI Insights

More Articles

Copyright © GDPR-CCPA. All rights reserved

GDPR

GDPR Hub

CCPA/CPRA

CCPA/CPRA Hub

Take It Down

AI Insights

More Articles

Copyright © GDPR-CCPA. All rights reserved

GDPR

GDPR Hub

CCPA/CPRA

CCPA/CPRA Hub

Take It Down

AI Insights

More Articles

Copyright © GDPR-CCPA. All rights reserved