DPC- A Practical Guide to Personal Data Breach Notifications under the GDPR

Below is an outline of the educational document "A Practical Guide to Personal Data Breach Notifications under the GDPR" by the DPC. If you’re a member, then you can log into our Digital Library and view it in your browser using the email address you signed up with. PS. Only members can successfully log in.

  • Click HERE to log into the library (Members only).
  • Folder: Books and Guides > Privacy Docs

If you are having issues logging in, please check the following help guide, HERE.

1. Introduction
2. Overview of Breach Notification Regime
3. What is a personal data breach?
4. When does a controller have to notify the DPC of a breach under the GDPR?
5. What should a notification to the DPC contain?
6. When does a controller have to communicate a personal data breach to data subjects?
7. What should a communication to a data subject contain?
8. Can controllers notify data subjects of a breach even if the risk is not assessed as high?
9. Assessing Risk
10. Case Studies – Under-Estimation of Risk
11. Case Study – Over-Estimation of Risk
12. Late Notifications or No Notification
13. Case Study – No Communication
14. Inadequate Reporting
15. Case Study – Inadequate Reporting
16. Technical Knowledge
17. Case Study – Inadequate Technical Knowledge
18. Repeat Breach Notifications
19. Case Study – Repeat Breach Notifications
20. Social Engineering
21. Case Study – Social Engineering
22. Data Accuracy
23. Case Study – Data Accuracy
24. Conclusions and Recommendations
25. Obligations to Notify and Communicate – Articles 33 and 34
26. Assessing Risk
27. Information to Be Provided
28. Personal Data Breach Policy and Procedure



Next steps:

This article was contributed by Racquel Bailey from Jamaica. Jason is a member of the Caribbean CSPA.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.