What is a data breach notification?

Article 4.12) of the GDPR defines a personal data breach as:

a breach of security resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data.

This is any security incident, malicious or not, and intentionally or unintentionally occurring, which results in compromising the integrity, confidentiality or availability of personal data.

Examples:

• accidental deletion of medical data kept by a healthcare establishment and not saved elsewhere;

• loss of an unsecured USB key containing a copy of a company's customer base;

• malicious entry into a school database and modification of the results obtained by the pupils.

The obligations of data controllers regarding personal data breaches, and in particular their notification to the CNIL and to the persons concerned, are defined in articles 33 and 34 of the GDPR.

What obligations for companies?

The GDPR introduces notifications of personal data breaches.

A personal data breach is a security breach that accidentally or unlawfully causes destruction, loss, falsification, unauthorized disclosure of personal data transmitted, stored or otherwise processed, unauthorized access to that data which, if they are not correctly affected in the event of a personal data breach, and unless the breach is not likely to create a risk for the rights and freedom of individuals, the controller has the obligation to:

• Report the violation in question to the local data protection authority within 72 hours

• Inform everyone affected by the data breach as quickly as possible (customers, prospects, employees, ...)

Any violation of this obligation is penalized by the data protection authorities.

For more information