Article 31 of the EU regulation proposal on personal data protection is aimed at making the notification of data breaches to the supervisory Authority mandatory for every controller, without undue delay. Of course, processors must notify, again without undue delay, every data breach to the controller to allow him to proceed.
The communications must include at least the qualification of the event and the description of the actions taken to oppose the data breach and mitigate its impact on the data subjects.
Everything must be documented in such a way that the Supervisory Authority can verify that the required security measures, according to article 30, are in place.
Article 32 states that, in case the data subject’s rights could be damaged by the data breach, the data subjects must also be informed of what happened and of the measures adopted to counter the data breach and mitigate its impact.
The decision to inform the data subjects is a controller’s choice but the supervisory Authority may decide to proceed on its own if it disagrees on the controller’s decision.
Some comments to close this short summary.
Fines in case the Regulation is not applied properly may be very high, but it is not just a matter of fines: the liability of a company towards its customers, employees and partners may lead to even greater damage through class actions or other compensation requests if the company is responsible for failing to properly protect the data.
Managing the disclosure of data breaches is not only a technical issue: it requires employee awareness, the proper implementation of processes and procedures and an organization capable of timely reactions to each event. It takes time and effort to have everything ready.
The Regulation states that disclosure must be done without undue delay from discovery, but the question remains on when the data breach begun. How long could the hackers have been walking around the databases before being stopped? The damage widely depends on such delay. And not only for private data.