Auratech Legal Solutions

Data Breach: When to Notify the AEPD and What to Do in 72 Hours

A personal data breach is not just any IT incident. It is a security breach that causes accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data. It may affect customers, employees, suppliers, users or patients.

Personal data breach notification

The GDPR requires quick action. If the breach may result in a risk to individuals’ rights and freedoms, it must be notified to the supervisory authority without undue delay and, where feasible, within 72 hours after the organisation becomes aware of it.

When to notify a breach to the AEPD

Notification is required when the breach may create a risk for affected individuals. Examples include exposure of identification, financial or health data, credentials, identity documents, children’s data, sensitive employment information or unauthorised access to databases.

Not every incident requires notification, but every incident should be assessed and documented. If the breach is unlikely to result in risk, notification may not be required, but the assessment should be kept.

When to inform affected individuals

In addition to notifying the AEPD, the organisation may need to communicate the breach to affected individuals when there is a high risk to their rights and freedoms. The communication should be clear and explain what happened, what data was affected, possible consequences and recommended measures.

What to do in the first 72 hours

  1. Contain the incident: block access, isolate systems or revoke compromised credentials.
  2. Identify what personal data has been affected.
  3. Estimate the number of affected individuals and data categories.
  4. Assess the risk to rights and freedoms.
  5. Document facts, dates, decisions and measures taken.
  6. Notify the AEPD where required, even if information must be completed later.
  7. Prepare communication to affected individuals if there is a high risk.

Common mistakes

Recommended official sources

Conclusion

The key after a data breach is to react quickly, assess risk and document every decision. A prior response protocol reduces mistakes and helps comply with the 72-hour deadline.

Exit mobile version