Personal data breach

GDPR defines a "personal data breach" as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of -- or access to -- personal data transmitted, stored or otherwise processed."

In the case of a security breach, the DPO must determine whether to notify the Data Protection Authority and the Data subjects involved, according to Articles 33 and 34 of the GDPR.

According to Article 33 (1) of the GDPR:

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

If deemed necessary, the DPO must post the Data Breach Notification within 72 hours of being made aware of the breach (see Milestone Data Breach Notification template). Data Subjects also must be notified if the personal data breach "is likely to result in a high risk to the rights and freedoms of individuals."

Data Processors experiencing a personal data breach must notify the Data Controller, but otherwise have no other notification or reporting obligation under the GDPR.

For information about the other responsibilities of the DPO, see Data Controller.