Not every incident is a personal-data breach
Assess confidentiality, integrity, and availability effects on personal data and the resulting risk to people. Record the decision even when notification is not required.
Article 32 control model
Security must be appropriate to risk, considering state of the art, implementation cost, processing context, and potential impact on people. Relevant measures include pseudonymization and encryption, ongoing confidentiality/integrity/availability/resilience, timely restoration, and regular testing of control effectiveness.
This is not a fixed checklist. The controller and processor must connect threats, data sensitivity, scale, access, dependency, recovery, and human impact to selected controls and evidence.
Breach decision workflow
- Contain and preserve: limit exposure while retaining reliable evidence.
- Establish awareness time: record when the controller had a reasonable degree of certainty that a personal-data breach occurred.
- Characterize data and people: categories, approximate numbers, sensitivity, identifiability, protections, recipients, duration, and geography.
- Assess consequences: identity theft, fraud, discrimination, confidentiality loss, physical or economic harm, loss of control, and other effects.
- Decide supervisory notification: Article 33 requires notification without undue delay and, where feasible, within 72 hours after awareness unless the breach is unlikely to result in risk to rights and freedoms.
- Decide communication to people: Article 34 applies where the breach is likely to result in high risk, subject to its conditions and exceptions.
- Document regardless: record facts, effects, decisions, notifications, delays, containment, recovery, and corrective action.
Evidence pack
- incident timeline and awareness rationale;
- affected systems, data flows, people, and processors;
- risk and high-risk assessment criteria;
- notification decision and approval;
- regulator and data-subject communications;
- processor notices and contractual timing;
- containment, recovery, and control test results; and
- lessons learned, owners, deadlines, and effectiveness review.
Primary references
- Gdpr
- Article 32
- Personal data breach
- Incident response
- Notification
Note Metadata
Aliases: GDPR Article 32, GDPR Breach Notification
Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng