Data Protection Commission Published Guidance note on Breach Notification Requirements
The Data Protection Commission (DPC) is the national independent authority in Ireland responsible for upholding the fundamental right of individuals in the European Union (EU) to have their personal data protected.
Accordingly, the DPC is the Irish supervisory authority responsible for monitoring the application of the General Data Protection Regulation (GDPR), and we also have functions and powers related to other regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive (LED).
On the 14 August 2019, the DPC published a guidance note entitled “A Quick Guide to GDPR Breach Notifications.” This guide is intended primarily to help controllers better understand their obligations regarding notification and communication requirements – covering both notification to the DPC, but also communication to data subjects, where applicable.
There are two primary obligations on controllers under this regime: (a) notification of any personal data breach to the DPC, unless they can demonstrate it is unlikely to result in a risk to data subjects; and (b) communication of that breach to data subjects, where the breach is likely to result in a high risk to data subjects. It is of utmost importance that controllers understand and comply with both of these obligations.
The DPC recommends that controllers should also be able to demonstrate when and how they became aware of a personal data breach, which will assist the DPC in assessing compliance with the requirement to notify “without undue delay”.
Click below to read the full guidance note