The Irish Data Protection Commission has issued guidance on data breach notification under GDPR.
Key takeaways:
A personal data breach is a security incident that negatively impacts the confidentiality, integrity, or availability of personal data, with the consequence that the controller is unable to ensure compliance with the principles for processing personal data as outlined in Article 5 of the General Data Protection Regulation. You must conduct a risk assessment to determine whether a breach is reportable. Factors to consider regarding the risk:
- type and nature of personal data
- circumstances of the breach
- whether or not personal data had been protected by appropriate technical protection measures, (e.g. encryption or pseudonymization)
- ease of direct or indirect identification of affected data subjects
- likelihood of reversal of pseudonymization or loss of confidentiality
- likelihood of identity fraud, financial loss or other forms of misuse of the data
- whether the data could be, or is likely to be, used maliciously
- the likelihood that the breach could result in, and the severity of, physical, material or non-material damage to data subjects
- whether the breach could result in discrimination, damage to reputation or harm to data subjects’ other fundamental rights.