Carnegie Mellon University

GDPR Breach Notification

The General Data Protection Regulation (“GDPR”) generally requires organizations to notify supervisory authorities (as defined in GDPR) of a “Personal Data Breach” and in some cases affected individuals.  Under GDPR, an Information Security Incident is a Personal Data Breach when it leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any information relating to an identified or identifiable natural person (“personal data”) transmitted, stored or otherwise processed by or on behalf of the organization. 

The standard for notification to supervisory authorities is when the Personal Data Breach is likely “to result in a risk to the rights and freedoms of natural persons.” The standard for notification to data subjects is a Personal Data Breach that is likely to result in a “high risk to the rights and freedoms of natural persons.”

If, after investigating a suspected personal data breach, the Information Security Office determines that based on a risk assessment of the following factors, there is a breach of personal data that is likely to result in a risk to the rights and freedoms of natural persons, the Information Security Office in concert with the Office of General Counsel will notify  supervisory authorities.  If it is determined to be a high risk, the Information Security Office in concert with the Office of General Counsel will also notify data subjects.

Some of the factors that will be used to determine risk vs. high risk are:

  • The severity of potential consequences for individuals, including various types of harm, including financial, physical, psychological, reputational and even cultural harm and social disadvantage.
  • Any special characteristics of the individual, such as, whether the individuals are children or otherwise vulnerable.
  • Characteristics of the recipient, such as that the recipient is “trusted” (i.e., will not read or access the information sent in error and comply with instructions to return/destroy copies of personal data)
  • How easily an individual can be identified.
  • The nature, sensitivity and volume of data.  The more sensitive the data, the greater the potential harm.  Combinations of personal data are typically more sensitive.  The higher the volume of personal data, the greater the potential harm.
  • How many individuals are affected - the more individuals affected, the more severe the impact may be, keeping in mind that a severe impact on a single individual depending upon the nature and context of the personal data that has been compromised.

Timing of Notification 

Notice to the supervisory authorities will be sent without undue delay and, where feasible, no later than 72 hours after determining that a Personal Data Breach is likely to result in a risk to the rights and freedoms of natural persons. 

Notice to individuals will be sent be sent without undue delay.

Content of Notification

When reporting a breach to supervisory authorities, the notice will provide:

    • a description of the nature of the Personal Data Breach including, where possible:
    • the categories and approximate number of individuals concerned; and
    • the categories and approximate number of personal data records concerned;
    • the name and contact details primary point of contact;
    • a description of the likely consequences of the Personal Data Breach; and
    • a description of the measures taken, or proposed to be taken, to deal with the Personal Data Breach, including, where appropriate, the measures taken to mitigate any possible adverse effects

When reporting a breach to individuals, the notice will provide:

  • the name and contact details for the primary point of contact;
  • a description of the likely consequences of the Personal Data Breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the Personal Data Breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects

User Practices

Users are required to follow the Procedure for Responding to a Compromised Computer if they suspect that the security or privacy of a Carnegie Mellon computing resource has been compromised.

Revision History

Status:  Published 
Published:  05/22/2018
Last Reviewed:  05/22/2018
Last Updated:  05/22/2018