Luxembourg’s data protection agency, the CNPD, has released a data breach notification form ahead of strict new European rules coming into effect later this year.
Among its provisions, the EU’s General Data Protection Regulation requires “data controllers” (organisations that keep personal information) to inform their national regulator of a data breach within 72 hours of discovering it, “if the breach is likely to result in a risk to the rights and freedoms of individuals.”
The GDPR applies starting 25 May.
On its website, the CNPD said organisations were not required to use the form, but it listed the required information.
The CNPD also stated that organisations needed to document all breaches of personal data, even if it is not reported to the privacy watchdog. Organisations are required to record the facts surrounding the breach, its impact and the steps taken to remedy the situation. The CNPD can ask to check this documentation.