In this video, Mandy Huth breaks down Article 33 of GDPR. Learn the definition of a personal data breach, timing for notification, what information is required with notification, and notifying data subjects.
- [Instructor] Article 33 of GDPR outlines the circumstances when, and the timing for notifications in case of a breach. The regulation outlines that if a data subject's rights of data privacy are at risk, an organization is required to notify them about the situation. It is always better to err on the side of caution, and this proves a proactive prudent action on behalf of the organization. What is a data breach then? The security tenants of confidentiality, integrity and availability apply here.
If data is impacted anywhere during the process, and it impacts a data subject's privacy, it should be considered a breach. This is not only about data theft. It can be data spills as well. If a processor becomes aware of a potential breach, the clock starts. This occurs if there is a reasonable degree of certainty that a breach has occurred. This also includes if the processor is separate from the controller. At this point, the controller's clock begins as well, as they are ultimately accountable for the data.
It's important to note, no notification is required if it is unlikely to result in a risk to data subject's privacy. Finally, it's important to note that if an organization does not report to the supervisory authority within 72 hours of becoming aware, that authority will require an explanation from the business as to why they did not notify within that timeframe. Next, who do you notify, and what do you need to report? Being very clear about the nature of the loss, and the impact to data subject's rights and privacy, shows diligence and transparency with the supervising agency.
Interestingly, the EU Parliament's determined that each member's state must supply an independent public authority to monitor the application of the GDPR regulation. Therefore, in an instance of notification, a business should check their particular country's contact information. Data subjects expect privacy, and a data breach impacts these assumptions. Communicating clearly and transparently to the data subjects will help alleve some of their concerns and trust.
An organization must use plain language when communicating with data subjects. Remember, not everyone is an IT techie. Make sure to give data subjects contact information specific to the data protection officer for any questions or concerns they may have. Understanding when an organization must notify of a breach, and on what timing, ensures key compliance with the GDPR regulation.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Compliance deadlines and penalties
- Data controllers and data processors under GDPR
- Exploring the role of the data protection office
- Technical measures outlined in the GDPR
- Reviewing the right to be forgotten and the situations that allow erasure
- Rules for children under the age of 16
- Breach notification