Do any other parties need to be notified of the data breach?
Consider whether you need to notify entities other than public authorities and the data subjects. This will depend heavily on your own contractual obligations. Some of the issues you will need to consider are:
- are you subject to any contractual obligations to notify (eg if you are a data processor, you are likely to be obliged to notify the data controller of any lost data)?
- do your contracts/duties to employees or customers oblige you to notify them?
- do other group companies have separate relationships with affected individuals? Should they be notified?
