The G29 is continuing its work to clarify GDPR with a view to its implementation in May 2018. The subject of personal data breach notification is not entirely new, as the reporting obligation, which will soon apply to all, already exists for communication service providers. However, these guidelines reiterate or provide more detailed information about certain key requirements.

The G29, in addition to outlining the actual notification and communication obligations, addresses the following issues:

  • Definition of personal data breach and what distinguishes it from a simple security breach (It is important to remember, because there is often confusion on this point, that data breaches involve not only unauthorized or accidental access or disclosure, but also the destruction, loss, or alteration of personal data.)
  • Trigger for the 72-hour period to notify the supervisory authority of the data breach.
  • Role and obligations of the processor.
  • Sanctions, which normally fall under the more “limited” ceiling of € 10 million or 2% of the global turnover (However, data breaches may also reveal the absence or inadequacy of existing security measures, which the supervisory authority can independently sanction.)

Further details can be found here.