Obeying 72-Hour Mandatory Notification Window under General Data Protection Regulation (GDPR): A Checklist

April 24, 2018

General Data Protection Regulation (GDPR)

Article 33 of the General Data Protection Regulation (hereinafter referred to as the ‘GDPR’)[1] mandates that companies should report the personal data breach to the supervisory authority within 72 hours after becoming aware of it. Non-compliance of this 72-hour mandatory notification window would result in heavy penalty mentioned in the Regulation itself. This requirement will prove to be challenging if proper planning and appropriate procedures are not in place. Careful planning would ensure and increase the chances of compliance with the GDPR.

Therefore, a detailed plan is important to beat the 72-hour mandatory notification window. Below are some steps that may be there to ensure compliance with Article 33 of GDPR:

  • Train and educate the employees regarding the meaning of personal data breach, Article 33 of GDPR and other important articles mentioned in the regulation. This is important to make sure that the employees can identify when it actually happens and react timely.
  • Prudently examine the policy with regards to personal data breach and check if it requires reworking. Two important questions that the policy should answer are:
    1. Time taken and steps that would be taken about the personal data breach
    2. Mode of notification to the concerned parties[2]

For this process to work effectively, it’s vital to have communications, legal and management teams looped in and briefed in advance, so that they are ready to work together. Such preparations should include drafting a letter template and clarifying the process for sharing these communications to the concerned authorities and individuals, so that everyone is clear on their responsibilities in the event of a breach.

This is the most important preparatory step as timely reaction and reporting can be done only if proper procedures are recorded timely and are in place when required.

  • SSort the personal data that the company holds. The sorting can be done in the decreasing order of the critical nature of the personal data, i.e. from the most critical to the least critical.
  • Identify the steps from the company’s personal data breach policy that is essential to be taken in the 72-hour mandatory notification window. These steps could be:
    1. Identifying the personal data breach
    2. Investigating at the company level so that the initial risk assessment can be done.
    3. Notifying the supervisory authorities
  • Setting up and maintaining security alerts so that the personal data breach can be identified as soon as it happens. Alerts can be grouped by assets, such as people, and those involving customer data could be labelled as relevant to GDPR. This will help the company to spot more quickly when a breach has occurred and save the valuable time when it is needed.[3]
  • Time the steps from the company’s personal data breach policy that are essential to be taken in the 72-hour mandatory notification window. This planning would help apt compliance in stressful situation.

For more information please write to us at :info@ssrana.com


[1]Available at https://gdpr-info.eu/art-33-gdpr/

For more information please contact us at : info@ssrana.com