In this video, Mandy Huth reviews Article 33 of the GDPR. Investigate notification requirements to a regulatory authority, internal notifications, external notifications, and what to include when notifying data subjects of a breach.
- [Instructor] Article 33 of GDPR outlines the circumstances when and the timing for notification in case of a data breach. The regulation outlines that if a data subject's rights of data privacy are at risk, an organization is required to notify those citizens about the situation. It is better to err on the side of caution, and this proves proactive prudent action on behalf of the organization. If an organization, whether it be the controller or the processor, suspects a breach, they should first notify and engage their own internal teams.
Some of the actions that should occur would be to alert your info sec team as they will run incident response for you. IT can pull logs and help to identify root cause. Notifying legal helps an organization to invoke attorney client privilege. Preparing support to respond to customer inquiries, as well as ensuring that even the front desk when answering the phone has canned response and procedure, will ensure that a business is prepared to answer any questions that come in during this time.
After engaging internal teams, an organization may need to communicate with external third parties depending on the incident. If a business plans on making an insurance claim, or doesn't know how to identify root cause, they should be prepared to engage the appropriate external parties to assist them. GDPR outlines a 72 hour notification period. This period begins upon becoming aware of a potential incident impacting data subject's data privacy.
The nature of the loss, as well as the number of people and records impacted, are key pieces of information. Additionally, the potential consequences are key data points for the supervisory authority. It is important to note that if an organization does not have full information about the situation. It is okay to provide the information to the supervisory authority in phases as that information becomes available. The most important person to be notified in case of a data breach is the data subject.
Data subjects must be notified directly. This can mean different things depending on the situation. It certainly implies a dependency on the nature of the data collected. In terms of notification this could mean that the organization is communicating with the data subjects either electronically or in writing. Most importantly in all of your communication is that there must be contact information for the organization's data protection officer.
This ensures that data subjects have a contact for any questions or concerns they may have. Understanding how long an organization has to notify of a data breach as well as who must be notified, ensures an organization's compliance with GDPR regulation.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Compliance deadlines and penalties
- Data controllers and data processors under GDPR
- Exploring the role of the data protection office
- Technical measures outlined in the GDPR
- Reviewing the right to be forgotten and the situations that allow erasure
- Rules for children under the age of 16
- Breach notification