Among its provisions, the EU’s General Data Protection Regulation requires “data controllers” (organisations that keep personal information) to inform their national regulator of a data breach within 72 hours of discovering it, “if the breach is likely to result in a risk to the rights and freedoms of individuals.”

The GDPR applies starting 25 May.

On its website, the CNPD said organisations were not required to use the form, but it listed the required information.

The CNPD also stated that organisations needed to document all breaches of personal data, even if it is not reported to the privacy watchdog. Organisations are required to record the facts surrounding the breach, its impact and the steps taken to remedy the situation. The CNPD can ask to check this documentation.

The reporting form was published on 12 February, and is available in English and French. It should be submitted via email to [email protected].