You would use this internally in accordance with your various policies to facilitate your staff’s ability to report and lodge a data breach by way of reporting it to the designated Data Protection Officer or whoever is designated as looking after privacy matters; and, to capture that information as required by the Data Protection Officer and/ or as may be requested by the supervisory authority.
A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” (Article 4(12))
A Data Processor must report breaches to the Data Controller ‘without undue delay after becoming aware of a breach’ (Article 33). The Data Controller must in turn inform the supervisory authority of a personal data breach within 72 hours where ‘the breach is likely to result in a risk for the rights and freedoms of natural persons’ (Article 34).
Data subjects must be informed of breaches without undue delay where the breach is likely to result in a high risk to the data subject’s rights and freedoms unless:
- the data has been rendered unintelligible to any third party (for example by encryption);
- the data controller has taken steps to ensure the high risk is unlikely to materialise; or
- it would involve disproportionate effort to inform data subjects individually, in which case a public announcement can be made.