Do any public or regulatory authorities need to be informed of the data breach?
Consider whether the organisation or any individual is under any legal or regulatory obligation to notify any public authority of the data breach, such as:
- the authority responsible for matters relating to data privacy
- a central government ministry or other government body. If data concerns central government functions, in particular military, security or policing agencies, local governments or health and social services, you should consider whether you need to notify relevant government bodies
- any relevant sector regulator
- any relevant regional or local authority
If such obligations arise, the incident management team should consider the form and timing of any notification and whether any additional obligations apply to your sector.
From a data privacy perspective, the General Data Protection Regulation (which will take effect on 25 May 2018) will apply across the whole of the EU and will typically require data controllers to notify serious data breaches to the relevant data privacy regulator “without undue delay” and in any case within 72 hours of becoming aware of the breach.
