Clearly, nobody wants their company to be involved in a data breach. However, if you do end up in this situation, responding properly can reduce your liability and help salvage your reputation. Therefore, make sure you plan for how you will handle data breaches. One of the most important components in that plan will be how you notify your customers and other affected. Let’s talk about how to write a data breach letter.
According to GDPR, you must report any data breach that is likely to result in a risk to the rights and freedoms of individuals within 72 hours. As soon as you realise you’ve had a data breach, perform a risk assessment. Try to determine:
Gathering this information will help you properly notify your local data protection authority. Note that the 72-hour timeframe starts from the moment you become aware of the breach, you do not get extra time to complete your investigation. Putting off reporting a breach can result in further fines and penalties.
Start your GDPR cleanup where it is needed the most
Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.
When you notify the supervisory authority that you have had a data breach, always include:
Now, let’s talk about when you should notify people affected and how to do it properly.
GDPR article 34 states that when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, you should notify the data subjects it may affect, without undue delay.
It does mention a few exceptions where you may not need to notify individuals of the breach. For example:
If you think one of these exceptions applies to you, you can wait to see if the supervisory authority requires you to inform people of the breach. On the other hand, if your own risk assessment shows that the data breach is likely to put people at risk, it is best to let them know right away. Again, this will reduce your liability in the long run. Further, it will help protect the people whose data was breached.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple , which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Your data breach notification letter to customers should give them a clear, easy to understand description of what happened and what you are doing about it. It should also tell them what they can do to protect themselves. Before drafting your letter, prepare answers to the following questions:
Once you have prepared the answers to these questions, you are ready to draft your letter. Remember to be transparent. Take accountability for the breach. Finally, make it clear that your company takes people’s privacy seriously and that you will continue to do all you can to protect it.
Try adapting this data breach letter template to report a privacy breach incident to affected people:
Subject: Data privacy breach incident
Dear [first name] ,
We are writing to let you know about a recent privacy incident that affects your personal data. On/starting [date], [use clear simple language to describe exactly what happened and why you consider it a privacy breach.]
Our investigation shows that some information about you was involved, including your:
This incident did NOT affect your:
We take incidents like this very seriously, and we have already [d escribe the steps you have taken to minimise harm caused by the breach]. Additionally, we will be [list additional steps you intend to take to contain the breach and protect the person]. Moving forward, we will use [d escribe new policies, software, services or other measures you will use to reduce the likelihood of similar problems in the future].
Please carefully consider whether a privacy breach of the information we mentioned above might harm you. If so, here are a few things you can do to protect yourself.
[Include some/all of the following sections, depending on what data was leaked.]
Reduce marketing calls and spam
Prevent identity theft
Protect your financial accounts
If you have any questions or concerns, please contact :
[Your DPO or another contact person within your company.]
If you are not satisfied with how we have handled this incident or you have experienced some harm as a result of it, you can make a privacy complaint at [email] .
Please explain how you have been affected and what we can do to resolve your complaint . If we cannot resolve the issue , you can also make a complaint to [local data supervisory authority]:
[Local data supervisory authority contact]
Your privacy is our priority and we will continue to monitor the situation and use every recourse to protect your personal data. Please do not hesitate to contact us with any questions.