GDPR Data Breach Notification Form To Data Subjects Template

Introduction

One of the main GDPR obligations is that the data controllers who store the personal data of their data subjects keep it safe and secure. There are multiple statutes, safeguards, tools, and processes which aim at complying with this obligation. Despite the best efforts, experience, and skills of the data controllers, sometimes a data breach does occur, which may result in personal data becoming public. The breach may occur because of a malicious attack or a mistake made by one of the organization’s employees.

If this does take place, the GDPR states that the data controller must be fully transparent and communicate the data breach along with its details to the data subjects who may be affected by it. The communication must be clear, concise, and prompt. The accepted timeline of sending the notification to the data subjects is 72 hours from the moment that the organization became aware of it; however, if this timeline isn’t feasible, it is acceptable to send the notification as soon as possible.

Scope and Purpose

The notification form focuses on the basic details of the breach that occurred, who the POC from the organization’s side is, and what the data subject and the organization should do next. The notification may vary according to the location of the data subject to comply with the local statutes as well as those of the GDPR.

The notification typically includes these key points -

1. Basic details: Date, time, and location of the servers.

2. DPO details: How the data subject can contact the organizations for any queries.

3. Description: Explain what happened, the type of personal data which was compromised, and explain all the potential consequences.

4. Remediation/mitigation recommendations: What the data subjects should do to prevent further misuse of their personal data and protect themselves?

5. Next steps: What the organization is doing to mitigate the consequences of the breach?

Required Fields in the Notification

The notification should include the following fields -

1. The name and details of the DPO and their credentials.

2. Data breach details, as detailed as possible.

3. Recommendations on precautions.

4. What will happen next from the side of the data controller.

The Obligations of the Data Controller

1. To follow up with the affected data subjects to ascertain that none of them will be harmed because of the breach.

2. In case of a ransom demand by the hacker group, the data controller will handle negotiations and pay the ransom.

3. The employees will be periodically trained not to use any personal devices whatsoever.

4. The personal data of the data subjects will be masked, so that even if the data is breached the malicious hackers won’t be able to access it.

Term Definitions

What is a Data Controller?

An organization or person who determines the use of the collected personal data from the data subjects. The data controller owns the collected personal data, decides in which ways it will be processed and bears the sole responsibility for safekeeping it.

What is personal data?

Any type of unique data which relates to an individual data subject. This can include such information as Name, phone number, Email address, ID number, health records, political opinions, IP address, etc.

What is the processing of personal data?

Any act that is performed on the collected personal data of all the organizations’ data subjects. This may include such actions as storing the data, analyzing it in any way to extract insights or deleting it once it’s no longer required.

What is a data subject (also known as a data subject)?

Any person who created a unique username on the organization’s website, thus giving them the possibility of using that username to perform certain tasks and use features offered on the website.

What is a data breach?

Any intentional or unintentional security incident, which involves the sharing of personal data with any unauthorized element. Sharing of personal data may include the viewing, copying, stealing, or altering of the personal data.

Who is the DPO?

The Data Protection Officer is the main stakeholder of the organization for all aspects of GDPR compliance. They are responsible for making sure that the GDPR guidelines are adhered to.

Key Takeaways / Conclusions

1. Don’t respond to any suspicious emails, texts, phone calls from unknown numbers, or messages.

2. Do not open any attachments from people you do not know or are currently expecting.

3. If you are uncertain whether any form of communication is malicious, please reach out to the DPO whose credentials appear in row #1 of this form.

4. Only follow instructions which come from the DPO.

5. The form should be written in simple everyday language, and it should be easy for data subjects to understand.

6. A copy of the notification should be kept for audits.