GDPR Article 34 outlines an organisation’s obligation to inform data subjects of a data breach, which is likely to result in a significant risk to their rights and freedoms as individuals.
Communication of a personal data breach to the data subject
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
- The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
- The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
- (a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
- (b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise.
- (c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
- If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
Communication of a personal data breach to the data subject
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
- The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
- The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
- (a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
- (b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise.
- (c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
- If the controller has not already communicated the personal data breach to the data subject, the Commissioner, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
Request a quote
GDPR Article 34 makes it clear that not all breaches must be communicated to data subjects. However, organisations should communicate the details of a breach when it is likely to result in a high risk to the rights and freedoms of natural persons.
Article 34 outlines three main areas to focus on, when communicating a data breach:
Controllers aren’t obligated to communicate a breach under the following three scenarios:
In this section we talk about GDPR Articles 34 (1), 34 (2), 34 (3)(a), 34 (3)(b), 34 (3)(c) and 34(4)
In order to create a cohesive, highly functioning incident management policy that safeguards the availability and integrity of privacy information during critical incidents, organisations should:
Staff involved in privacy information security incidents should understand:
When dealing with privacy information security events, staff should:
Reporting activities should be centred around 4 key areas:
In this section we talk about GDPR Articles 34 (2) and 34 (1)
Organisations should ensure that privacy information security incidents are dealt with by a dedicated technical team with the skills and resources to affect a prompt resolution (see ISO 27002 Control 5.24).
Organisations should:
GDPR Article | ISO 27701 Clause | ISO 27002 Controls |
---|---|---|
EU GDPR Articles 34 (1) to 34 (4) | ISO 27701 6.13.1.1 | 5.25 5.26 5.5 5.6 6.8 8.15 8.16 |
EU GDPR Articles 34 (2) and 34 (1) | ISO 27701 6.13.1.5 | 5.24 5.27 5.28 5.29 5.30 |
Due to built-in guidance and our ‘Adopt, Adapt, Add’ implementation approach, ISMS.online makes demonstrating GDPR compliance a breeze. A range of powerful time-saving features will also be available to you.
With our intuitive platform, you can accomplish multiple information security and privacy objectives by mapping your work across multiple standards and frameworks.
If you need help or advice during your journey towards GDPR, we can make our team of in-house experts available or recommend a trusted partner who can help.
Find out more by booking a demo.
I’ve done ISO 27001 the hard way so I really value how much time it saved us in achieving ISO 27001 certification.