How to Write GDPR-Compliant Data Breach Notification Letters
In the world of data protection and security, data breaches are the worst possible scenario, and you'd be well advised to have a plan in place in case it happens to your business. One integral component of this plan is the data breach notification that will need to be sent to Data Protection Authorities and possibly to consumers.
We'll explain the importance of this letter and give some tips as well as template for creating your own.
- 1. Personal Data Breach Notification Basics
- 2. Data Breach Notice Letter for Data Protection Authorities
- 2.1. What Information to Include in the Data Breach Notification Letter to DPAs
- 2.1.1. The Nature of the Personal Data Breach
- 2.1.2. Relevant Contacts
- 2.1.3. Describe Consequences
- 2.1.4. Measures Taken
- 2.2. How to Send the Data Breach Notification
- 3. Data Breach Notice Letter for Data Subjects
- 3.1. What Information to Include in the Data Breach Notification Letter to Affected Individuals
- 4. Example of a Data Breach Notice Letter
Personal Data Breach Notification Basics
A breach notification will need to be sent to an EU Data Protection Authority (DPA) quickly if a personal data breach affects European residents. It is usually necessary to inform consumers (data subjects) directly about the data breach as well.
While the concept may seem simple, EU privacy laws establish certain expectations about the format and content of data breach notification letters.
In summary, Article 33 makes the following requirements:
- Any data breach involving the personal data of European Union residents must be reported to an EU DPA within 72 hours if at all possible.
- If the breach is not reported within this time, the business must be able to report possible reasons for the delay.
- If a data processor suffers a data breach, they must inform the data controller immediately.
- The notification should describe the nature of the data breach, contact information for your business, the likely consequences of the data breach, and which measures are being taken to address and mitigate the data breach.
It is apparent that a breach notification will not only be necessary in the case of a data breach, but it also must contain specific information and be sent within a certain timeframe.
That's not all. GDPR Article 34 goes on to describe the requirements for communicating personal data breaches to the consumers that may be affected:
Again, we'll summarize these stipulations:
- If the data breach is considered a high risk to the rights and freedoms of data subjects, they must be informed of the matter as soon as possible.
- The notification must be easy to understand and contain specific information about the data breach.
- Under certain circumstances, a direct communication to the consumer may not be necessary.
Since GDPR regulations delineate precise expectations when it comes to breach notifications, it would be a good idea to create a pre-established format or template for data breach notices. This can then be included in your Personal Data Breach Notification Policy so that all employees who handle consumer data understand the requirements and have the templates on hand if needed.
Data Breach Notice Letter for Data Protection Authorities
When determining whether you need to report a data breach to the Data Protection Authorities, first establish if the personal data breach is likely to result in a risk to the rights and freedoms of data subjects.
If you're not sure how to assess the risk, here are some situations that would be considered high risk:
- A loss of confidentiality in which personal information has been leaked or otherwise made available to unauthorized parties
- Unauthorized destruction or alteration of personal data, such as a loss of access to data or reversal of pseudonymization
- If the data breach may result in negative consequences to data subjects, such as potential identity theft, financial losses, fraud, psychological damage, damage to reputation, etc.
- Any data breach that involves sensitive categories of data, such as information regarding race, religion, sexual orientation, or criminal offenses
- If the data breach will affect a large number of data subjects, children, or otherwise vulnerable individuals
It is also important to note situations in which Data Protection Authorities may not need to be notified. Data breaches that do not necessarily need to be reported include:
- When the information involved was completely and irreversibly anonymonized, or if the data was encrypted to the point that it would be impossible to access or identify
- The personal data was already available to the public before the breach
- The loss of data access was very brief and immediately resolved with no potential consequences to data subjects
- The personal data was accidentally sent to a third-party that the controller trusts will follow instructions and maintain confidentiality of the information
If your data protection team is unsure whether or not the data breach needs to be reported, it is advisable to consult a data protection attorney or go ahead and report the breach anyway, just to be safe. If you decide that the breach does not require notification to a DPA, be sure to document the reasoning behind this decision.
What Information to Include in the Data Breach Notification Letter to DPAs
The most important thing to remember about a breach notification to an EU DPA is that it must be sent within 72 hours. Considering the quantity of information they expect you to include in the notification, it is recommended that you put together a template or questionnaire beforehand to save time for your data protection team.
Below we'll go over mandatory information that will need to be included in a personal data breach notification letter to DPAs.
The Nature of the Personal Data Breach
First, describe the nature of the personal data breach that occurred. Disclose how the breach happened, as well as the following points regarding the data subjects involved:
- How many individuals were affected?
- What categories of data were involved?
- How many personal data records were involved?
Provide the name and contact information of your Data Protection Officer (DPO), EU Representative, or whichever entity is considered the point-of-contact for data protection matters in your organization.
After a thorough analysis of the nature of the data breach, work with your data protection team or privacy attorney to predict the likely consequences of the personal data breach. Consider if there is risk of identity theft, financial losses, or other consequences on the part of the affected consumers. Describe your findings in the report.
Explain which measures your team has taken or the future plan of action to address the data breach. Also recount how you plan to mitigate the likely consequences that were mentioned above. If you have any recommendations for what affected users can do (such as change their passwords), make that known as well.
How to Send the Data Breach Notification
Most DPAs provide a form or webpage that you can use to report the personal data breach. This can smooth the process since it helps your team pinpoint exactly which information is needed in the report.
First, you'll need to determine which DPA is your lead supervisory authority. If you're not located in the EU, this could be a bit tricky.
If you have a Data Protection Officer or EU Representative in the EU, then your lead supervisory authority will be the DPA that's closest to your representation.
If you do not have a representative or physical location in the EU, then your safest bet is to choose the DPA of the country where you have the largest number of EU customers. Here is a list of the DPA websites in each EU member state:
Once you have determined which DPA is your lead supervisory authority, you can report personal data breaches on their website. There is usually an easy-to-find link for reporting breaches, such as the large green link shown here on the homepage of the Ireland DPA:
In most cases, you will be presented with a questionnaire-style webform that you can use to fill in all the relevant details of the data breach. This is how the Ireland DPA begins their questionnaire:
The data breach reporting forms can be detailed and involved, so prepare as much information as possible ahead of time so that this form can be filled out quickly and sufficiently.
Once the form is completed and submitted to a DPA, it's time to determine if a data breach notice letter to data subjects will be necessary.
Data Breach Notice Letter for Data Subjects
If the personal data breach is likely to result in a high risk to the rights and freedoms of EU consumers, you will be required to inform those individuals as soon as possible.
Basically, if you had to inform the DPA about the data breach in accordance with the risk factors laid out previously, you will probably have to inform data subjects as well.
The GDPR does describe several situations in which the data controller will not have to inform consumers. These include:
- If the data was encrypted or anonymized to the point that it would be impossible to decipher the information or use it to identify individuals
- If the data controller has taken corrective measures and ensured that the risk to the rights and freedoms of individuals no longer applies
- If it would take an enormously disproportionate effort to contact individual consumers, the controller may decide to communicate the data breach in a public forum
Keep in mind that if you decide not to inform data subjects based on the criteria above, but a supervisory authority disagrees with your decision, they may compel you to do so.
What Information to Include in the Data Breach Notification Letter to Affected Individuals
The first requirement for a data breach notification letter is that it be written in clear and plain language. This is not the time to use sophisticated legal terms; make sure the letter is simple and easy to understand.
According to the GDPR, the contents of the letter must include:
- The nature of the data breach
- Name and contact details of your DPO or privacy representative
- The likely consequences or negative effects that could impact data subjects
- The measures taken to address the data breach and mitigate its negative effects
If the data breach affected United States citizens, the Federal Trade Commission (FTC) also requires the letter to include a list of steps the individuals can take to safeguard their personal information in case the breach does compromise their privacy. These steps may differ according to the type of data that was leaked, as you will see in the examples below.
Example of a Data Breach Notice Letter
Beyond the basic requirements that are laid out above, a data breach notice letter should also be written in such a way that reassures the consumer about their personal information and, ideally, reestablishes some trust between the data controller and the data subject.
LinkedIn sent the following data breach notification in 2016:
Notice that the language is open and direct, going right to the point. The company approaches the consumer from the standpoint of honesty, intending to convey the company's concern. The nature of the data breach is described in one short paragraph. LinkedIn then goes on to describe the measures it is taking and mentions ways that users can safeguard their accounts against future privacy threats. This satisfies FTC requirements.
Finally, a point of contact is provided.
The above letter not only meets GDPR and FTC stipulations regarding data breach notifications, but it also demonstrates LinkedIn's commitment to maintaining a transparent and trusting relationship with its customers.
You can streamline the process of sending a data breach notification letter to consumers as much as possible by having a breach notification letter template and including it as part of the Personal Data Breach Notification Policy that is used by your data protection team. These precautions will help to ensure that all employees are well-versed and prepared for any potential data breach in the future.