All too often, data breaches are a result of preventable, internal errors. These mistakes and the reputational damage that follow them are increasingly keeping business leaders up at night. What is often most concerning is that it's not only the financial damage that can cause catastrophe. When the personal data of thousands of customers and partners are affected by a data breach, organisations can also face significant legal ramifications in the form of litigation and GDPR violations.

A data breach notification must contain at least the following information:

  • a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects, the categories concerned and the approximate number of personal data sets concerned;
  • the name and contact details of the Data Protection Officer or other contact point for further information;
  • a description of the likely consequences of the personal data breach;
  • a description of the measures taken or proposed by the controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

Organisations that do not comply with the legal requirements for reporting data breaches face heavy fines. For the particularly serious violations listed in the Data Protection Act under Article 83(5), the fine range is up to 20 million euros or, up to 4% of the organisation's total annual turnover achieved worldwide in the previous financial year — whichever is the higher.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.