GDPR Data Breach Notification Template With Examples [Download]

The GDPR is a law developed by the European Union (EU) to protect individuals’ personal data. Although it originated in the EU, several countries and organisations outside Europe have to date also adopted this regulation, which shows how detailed and well-thought-out it is.

Among many of the GDPR’s guidelines, the data breach notification letter is one such important guideline.

Click here to download our GDPR breach notification template.

What is a Breach Notification Letter?

A breach notification letter is a way of fulfilling the requirements of GDPR in the event of a data breach. So how does it do that, you may ask? A breach notification letter is an email or a document that the organisation sends to affected customers and data protection authorities (DPAs) when a data breach occurs.

If a data breach poses a significant threat to the personal data of individuals, the organisation involved is legally required under the GDPR to inform the affected individuals within 72 hours. Your organisation’s Data Protection Officer (DPO) decides the severity of a data breach’s severity. If your organisation doesn’t have a DPO, you can hire a consultant to identify the severity.

Has your organisation undergone incident preparedness? How does an organisation demonstrate readiness against breaches? Get in touch for a consultation.

How to Use This Template To Write A GDPR Data Breach Notification Letter?

Let us understand how our breach notification template will help you write the data breach notification letter efficiently.

Step 1: Download the Data Breach Notification Template

The first step is simple.

Download our GDPR Breach Notification template, and make changes to a copy of our template since it is in Word format.

Step 2: Fill In Your Company’s Information

This section will contain basic contact details about your business or organisation, such as your company name, address, and phone number. This information will be important if customers want to contact you or have questions.

It also details your Data Protection Officer (DPO), who is responsible for notifying you of breaches.

Step 3: Describe the Nature of the Data Breach Notification Letter

A company must explain how a data breach occurred and what data was compromised during the incident. Additionally, your notification should inform you about the severity of the compromised data and how your company responds to this incident.

Step 4: Describe the Impact of the Data Breach

It would be best if you adequately communicated the impact of the data breach. Not all customers will understand the technical jargon behind the breach, so explaining it to them in simple terms is essential.

Step 5: Provide Recommendations

This is the most crucial step of the breach notification letter. Provide recommendations to the customers that they can implement from their end.

Step 6: Send Breach Notifications

Once you have the necessary information, share the reports with the relevant stakeholders. As per GDPR requirements, organisations must ensure that breach notifications are sent to the affected individuals and the Data Protection Authority (DPA) within 72 hours of the reported data breach.

Things You Should Know Before Filling The Breach Notification Template

Now, hold up! Before you start filling out all the details in line with the breach notification letter, your organisation needs to understand what happened and why. Once you know the chronology of events, you can better explain the events to your customers and other stakeholders.

What happened?

In this step, you should coordinate with your cybersecurity team to get an in-depth understanding of how the attackers were able to break into your systems and access personal data. Once you have identified the attack path, it is time to determine the impact of the data breach on your organisation.

While identifying the impact, you can consider the following factors:

• Number of customers affected
• Type of data breached: Was it personally identifiable data (PII)?
• Financial loss to the organisation
• Reputational damage

How it happened?

Your team should identify how the attackers could have penetrated your systems and gained unauthorised access to sensitive data. Then, identify the gaps and vulnerabilities in your systems and ensure that these vulnerabilities are fixed.

What Should You Do After Filling Up This Breach Notification Template?

The task is not over even after sharing the link to the breach notification letter with your customers and DP. Your organisation should do many other things to ensure that such a data breach does not happen again.

Document Everything

You should document all the findings and remediation steps during and after the data breach. This document will act as a blueprint for improving your company’s security posture.

Conduct a Risk Assessment

The affected organisation should consider a third-party vendor’s risk assessment or penetration test to identify gaps and suggest appropriate remediation steps. A risk assessment shows the current weaknesses and helps analyse the issues to plan mitigations, that drastically reduce your chances of getting impacted by a data breach.

Implement the Recommendations

I bet you saw this step coming. This is where you must implement all the recommendations, including those for the risk assessment and your Data Protection Authority. Your organisation should develop a timeframe for successfully implementing the recommendations. Once implemented, you should review and conduct a mock drill to ensure their success.

GDPR Data Breach Notification Examples

There are many informative breach notification documents and examples available that can help you gain a better perspective on GDPR data breach notifications.

Health Service Executive (HSE) – Ireland

In May 2021, the HSE suffered a ransomware attack, and the attackers were able to access sensitive patient data. However, the HSE was quick to notify affected patients and the DPA and provided them with a detailed explanation account of the data breach.

T-Mobile Data Breach

T-Mobile suffered a data breach in 2021 that affected several customers as the attackers accessed customers’ sensitive information. The data included PII such as their addresses, names, social security numbers, and driver’s license information.

T-Mobile informed the affected customers and offered two years of identity theft protection services.

Conclusion

GDPR’s breach notification rule is essential to the regulation and demonstrates a data security commitment to your staff and customers. Organisations must be transparent about data breaches today. Therefore, data privacy and security measures must be driven by a strong security strategy and not an afterthought that might be costly regarding reputation and compliance.