Simplify Compliance with GDPR Breach Notification Obligations

The Radar incident response and decision-support platform helps privacy professionals and their organizations comply with the complexities of the EU General Data Protection Regulation (GDPR). This broad legislation poses significant challenges for compliance professionals, including a 72-hour breach notification timeline as well as hefty consequences for noncompliance – potential fines up to €20M or 4% of an organization’s total worldwide annual turnover, whichever is higher.

Request a Demo

GDPR Ready with Radar

Radar’s patented Breach Guidance Engine™ provides consistency and efficiency for compliance with the GDPR’s complex breach risk assessment and notification obligations. Radar’s multi-factor and multi-jurisdictional decision-support platform operationalizes breach notification under the GDPR. Using Radar, you can:

Efficiently capture breach details and risk profiles

Through an intuitive interface, you can capture breach details including key risk factors, such as the intentional or unintentional nature of the breach, data protection measures, risk mitigation outcomes, and the scope and sensitivity of personal data involved.

Quickly perform risk assessments to make consistent and timely notification decisions

Details of the breach notification requirements are codified into the Radar Breach Guidance Engine™, which recognizes the nuances in DPA and affected individual notification requirements for organizations with or without an establishment in the EU.

Provide supervisory authority notification within the 72 hour timeframe

Track and prioritize notification requirements in a central dashboard. Create and manage notification letters directly from the assessment profile, maintaining a repository of every notification.

Benefit from automation to make efficient, informed decisions

Radar scores the severity of a breach and sensitivity of involved data, generates a risk heat map, and provides decision support for regulatory and contractual notification obligations.

Want to see more?

Request a Demo

Frequently Asked Questions: Breach Notification
Requirements and the GDPR

Compared to US State and Federal regulations, personal data has a broader definition under the GDPR, meaning “any information relating to an identified or identifiable natural person,” with particular sensitivity  to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and sex life or sexual orientation. 

The GDPR regulates all forms of personal data, electronic and non-electronic.

Under the GDPR, personal data breach means a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Based on this definition, an incident could potentially be categorized as one or more of the following: an availability breach, meaning accidental or unlawful destruction or loss of personal data; an integrity breach, meaning alteration of personal data; or a confidentiality breach, meaning unauthorized disclosure of, or access to, personal data.

Entities that may need to be notified under GDPR breach notification requirements include affected data subjects, lead supervisory authority (one-stop-shop), and multiple supervisory authorities (no EU establishment).

For supervisory authorities, notice is required “without undue delay and, where feasible, not later than 72 hours after having become aware.”

For data subjects, notice is required “without undue delay.”

For organizations used to US State and Federal notification regulations, the 72-hour notification window is an extremely tight timeframe. Under state laws, notification is generally required in the most expeditious manner possible, without unreasonable delay. In recent years, there has been a growing trend in state regulations to adopt more stringent notification timelines, typically 30–45 days from breach discovery.

State-of-the-art encryption may be considered an appropriate technical protection measure in respect to whether notification to data subjects is required, but is not considered an exception from notification as it is under US law.

The only true “exception” under the GDPR relates to anonymized data. If data is anonymized, the data subject cannot be identified, which removes the data from the scope of the GDPR.

The GDPR brings with it significant consequences for organizations that process or hold the personal data of EU data subjects.

One of the highest profile consequences of noncompliance is the potential for fines up to €20M or 4% of an organization’s total worldwide annual turnover, whichever is higher.

Radar takes into account clear and nuanced differences in global breach notification laws, including:

  • Definitions of breach, personal data, and regulated forms of data
  • Awareness and discovery dates
  • Regulation specific risk of harm assessments
  • Notification timelines (whether it’s in the most expeditious manner possible, within 30 days of discovery, or
    not later than 72 hours after having become aware)
  • Who needs to be notified and what information must be included
  • Safe harbors or exceptions from notification