How long does a data controller have to conduct an assessment of the data breach after becoming aware of it?

Understand the Problem

The question is asking about the timeframe within which a data controller must perform an assessment following the discovery of a data breach. This relates to regulations governing data protection and breach notification procedures.

More Information

Under the General Data Protection Regulation (GDPR), a data controller must notify the relevant supervisory authority within 72 hours after becoming aware of a personal data breach if it may result in a risk to the rights and freedoms of individuals.

Tips

A common mistake is assuming there is no need to notify if only minimal data is involved. Always assess the risk to individuals' rights and freedoms.

Sources

• Notification of a personal data breach to the supervisory authority - gdpr-info.eu
• The web page with info on - Information Commissioner's Office - ico.org.uk