Breach Notification
/briːtʃ ˌnoʊtɪfɪˈkeɪʃən/
Learn about breach notification requirements for Irish companies under GDPR, including when to notify within 72 hours, how to assess risks, and avoid the steep fines for non-compliance.
Learn about breach notification requirements for Irish companies under GDPR, including when to notify within 72 hours, how to assess risks, and avoid the steep fines for non-compliance.
Breach notification refers to the mandatory process under the General Data Protection Regulation (GDPR) that requires organisations to report certain types of personal data breaches to the relevant supervisory authority. In Ireland, this authority is the Data Protection Commission (DPC), which oversees enforcement and provides guidance on when and how to make notifications. A personal data breach encompasses any incident where there is accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data.
The notification requirement serves multiple purposes. First, it enables the DPC to assess whether the breach poses risks to individuals' rights and freedoms. Second, it ensures affected individuals can take protective measures if their data has been compromised. Third, it creates an incentive for organisations to implement robust security measures by making data breaches a matter of public accountability. For your Irish company, understanding breach notification is crucial because non-compliance can result in fines of up to €20 million or 4% of your global annual turnover.
You must assess whether a breach is "likely to result in a risk" to individuals' rights. Not every incident triggers notification. For example, if you lose an encrypted laptop containing personal data, and the encryption key wasn't compromised, the risk might be low. However, if you experience a ransomware attack where hackers access unencrypted customer records, you likely have a notification requirement. This assessment must be documented carefully as part of your compliance records.
A breach notification requirement is triggered when there is a personal data breach that is "likely to result in a risk to the rights and freedoms of individuals." This assessment considers several factors, including the sensitivity of the data (such as health information or financial details), the volume of data affected, and the potential consequences for individuals (like identity theft or discrimination). If your breach involves special category data, which includes information about race, political opinions, or religious beliefs, the threshold for notification is lower.
You should consider the type of breach. Confidentiality breaches involve unauthorised disclosure of data, such as sending an email to the wrong recipient containing customer information. Integrity breaches occur when data is altered without authorisation, potentially affecting its accuracy. Availability breaches happen when data becomes inaccessible, like during a ransomware attack. Each type may require different responses, but all must be evaluated against the "risk to individuals" standard.
The "likelihood" assessment is subjective but must be reasonable and defensible. If you're unsure whether notification is required, it's often safer to notify the DPC and explain your uncertainty. The DPC can provide informal guidance on whether formal notification is needed, which demonstrates your commitment to compliance and may reduce potential penalties if you've made an error in judgment.
If you determine that a breach is notifiable, you must notify the Data Protection Commission (DPC) within 72 hours of becoming aware of the breach. This timeline is strict, and the clock starts when you have a reasonable belief that a breach has occurred, not when you complete your investigation. You should begin notifying as soon as possible, even if you don't have all the details.
The notification must include specific information, including the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures you're taking to address the breach. If you cannot provide all required information within 72 hours, you must submit an initial notification and follow up with additional details later. The DPC may request further information as part of their assessment.
Delaying notification beyond 72 hours requires justification. Acceptable reasons might include needing time to assess the scope of a complex cyberattack. However, "we forgot" or "we were busy" are not valid excuses. The 72-hour deadline applies to breaches involving both customers and employees, so ensure your internal incident response plan includes procedures for detecting and escalating potential breaches promptly.
You must notify affected individuals directly if the breach is "likely to result in a high risk to their rights and freedoms." This is a higher threshold than the requirement to notify the DPC. Direct notification allows individuals to take steps to protect themselves, such as changing passwords, monitoring bank accounts, or being alert to phishing attempts.
Direct notification should be clear and concise, avoiding overly technical language. You should describe the nature of the breach, the types of data involved, recommended steps individuals can take to protect themselves, and contact details for further information. The notification should be delivered without undue delay, typically via email if you have that contact information, or by public announcement if direct contact isn't feasible.
There are exceptions to the individual notification requirement. If the data was encrypted or otherwise rendered unintelligible to unauthorised parties, you might not need to notify individuals. Similarly, if you've taken subsequent measures that ensure the high risk is no longer likely to materialise, direct notification might not be required. However, the DPC can still require you to notify individuals if they believe it's necessary.
A formal breach notification to the DPC must include specific details as outlined in Article 33 of the GDPR. You must describe the nature of the breach, including the categories and approximate number of affected individuals, and the categories and approximate number of affected personal data records. You should also identify your data protection officer or another contact person.
The notification should explain the likely consequences of the breach, such as identity theft, financial loss, or reputational damage to individuals. You must detail the measures you have taken or propose to take to address the breach, including measures to mitigate its possible adverse effects. This demonstrates your commitment to resolving the issue and protecting affected individuals.
If you cannot provide all information immediately, you should explain why and indicate when you expect to have additional details. The DPC may request follow-up information, so maintaining clear records throughout your investigation is essential. Proper documentation also helps during any subsequent due diligence processes if you seek investment or consider selling your business.
Preparation is your best defence against breach notification failures. You should develop and document an incident response plan that outlines roles and responsibilities, communication channels, and decision-making processes for assessing breaches. This plan should be tested through tabletop exercises with key team members, including IT, legal, and communications staff.
Your incident response plan should include template notification letters for both the DPC and affected individuals. Having these prepared in advance saves valuable time during a crisis. You should also maintain an up-to-date record of your data processing activities, knowing what personal data you hold, where it's stored, and who has access. This inventory helps you quickly assess the scope of a breach.
Consider your contractual relationships. If you use third-party processors (like cloud providers or payroll services), your contracts should require them to notify you promptly of any breaches involving your data. Similarly, if you're a processor, you must notify the controller (the company that owns the data) without undue delay. These requirements are often embedded in joint venture agreements or service contracts that involve data sharing.
Failing to notify the DPC of a notifiable breach can result in significant administrative fines under GDPR. The maximum penalty is the higher of €20 million or 4% of your total worldwide annual turnover from the preceding financial year. While not every failure results in the maximum fine, the DPC considers the nature, gravity, and duration of the infringement, as well as any intentional or negligent character.
Beyond financial penalties, failure to notify can damage your company's reputation and erode customer trust. It may also affect your ability to secure cyber insurance or attract investors who conduct thorough due diligence. In severe cases, where negligence is evident, directors could face personal liability or disqualification proceedings.
The DPC also has corrective powers, including ordering you to bring processing operations into compliance, imposing a temporary or permanent ban on processing, and ordering the suspension of data flows to third countries. These measures can be more damaging than fines alone, as they could halt your business operations entirely. Proper notification demonstrates cooperation with authorities, which can be a mitigating factor in enforcement actions.
Breach notification requirements under GDPR apply specifically to "personal data," which is any information relating to an identified or identifiable natural person. This includes obvious identifiers like names, email addresses, and identification numbers, but also location data, online identifiers, and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
Special category data, which includes information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, and data concerning a person's sex life or sexual orientation, receives enhanced protection. Breaches involving special category data are more likely to require notification due to the heightened risks to individuals' rights and freedoms.
Business data that doesn't contain personal information, such as aggregated statistics or anonymised data that cannot be linked back to individuals, generally falls outside breach notification requirements. However, you should be cautious about assuming data is truly anonymous, as re-identification risks exist with many datasets. If you hold intellectual property like trademark information, separate legal protections apply for those breaches under intellectual property law rather than data protection law.
