Spain’s DPA helps you decide whether to report data breaches to affected individuals

Spain’s Data Protection Authority, the AEPD, yesterday published a tool, Comunica-Gap RGPD, to help organisations decide whether to inform individuals that they have suffered a data breach.

This tool is designed as a win-win for all parties involved to enable organisations to take the right action when faced with a possible data breach. The tool is free and easy to use by enabling organisations to complete a short form. The questions focus on: when does the law consider a set of facts pose a high risk to the rights and freedoms of individuals? The answer enables organisations to take appropriate action.

The tool offers a response to three possible scenarios:

  1. a security issue with a high risk
  2. communication to affected individuals is not necessary
  3. the level of risk cannot be determined.

The questions cover subjects, such as sector, the breach itself, the consequences, data categories and affected people.

Using this tool does not replace the duty to notify a breach to the AEPD where necessary.