GDPR Software


GDPR Register Data Breach

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected (See below for more information from the ICO).

The Data Breach Register is a register to record all data breaches within your privacy network.

The data entry form for each register entry allows you to record the following:

  • The status of this breach;
    • New
    • Pending Assessment
    • Pending Response
    • Pending Authorisation
    • Pending Action
    • Closed
  • Data Breach Title: e.g. Malware Attack on the PC in the Accounts Department.
  • Notification Method: e.g. Email, Telephone call.
  • Breach Details: Describe all details known about the breach e.g. Browsing the internet during a lunch break, outdated Anti-virus software.
  • Data Assessment: What personal data could have been effected by this breach e.g. Keystroke recording malware, user has access to accounts data only. Access logs shows Invoicing is the only effected data.
  • Data Subject: Based on the Data Assessment what actual data items/people are effected e.g. Data possibly efffected is Name, Address, Email, Telephone.
  • Data Subject Response: The Data Subject(s) (Individual, Groups, Company, etc) response. e.g. Please remove all data from your systems.
  • Recommendations: Based on the Data Assessment, Data Subject Response and Policy/Procedures in place, recomendations to close out this item and prevent this Data Breach from occurring again. e.g. Remove all data from Accounts and Web store for cutomer, IT to review automatic Antivirus update of all PC's.
  • Actions: A log of all actions that were generated as part of this entry.

Further Information

What is a personal data breach?

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.


A hospital could be responsible for a personal data breach if a patient’s health record is inappropriately accessed due to a lack of appropriate internal controls.

What breaches do I need to notify the relevant supervisory authority about?

You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.

When do individuals have to be notified?

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly.

A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.

What information must a breach notification contain?

  • The nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned; and
    • the categories and approximate number of personal data records concerned;
  • The name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

How do I notify a breach?

A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.

What should I do to prepare for breach reporting?

You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data.
You should ensure that you have an internal breach reporting procedure is in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.

In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place.