Anita Anand of Allen & Overy writes:
The Article 29 Working Party this week published draft Guidelines on personal data breach notificationunder GDPR. The relevant GDPR provisions are often misrepresented, and in many respects leave matters open to interpretation – a good or bad thing depending on the day. Many are now asking what further clarity the draft guidelines bring for companies looking to design and implement a GDPR-compliant incident response and breach notification process in time for May 2018.
Assessing risk
GDPR makes it clear that a wide range of types of risk must be considered in assessing the impact of a personal data breach: physical, material, or non-material damage. The more difficult question is whether the degree of risk is such that the supervisory authority or the affected data subjects must be notified.
Read more on Lexology.