Data breach notification template developed for EU GDPR

Stuart Davey, Daniel Widmann and Gemma Erskine of Pinsent Masons were commenting after the European Data Protection Board (EDPB) announced a common template for data breach notifications under the EU General Data Protection Regulation (GDPR).

Davey said: "The EDPB's announcement that it is consulting on a new template for notifying data protection authorities of a data breach is a welcome one. Historically, when organisations are faced with a data breach, coordinating notifications across a variety of different requirements and forms can be a significant challenge; a consistent set of questions will bring much-needed clarity.”

“However, this does not remove the need for local legal advice and legal oversight. Many jurisdictions retain local considerations and impose additional requirements, such as obligations to notify law enforcement or cybersecurity agencies, which organisations should bear in mind,” he added.

Under the GDPR, organisations are obliged to disclose certain personal data breaches to data protection authorities and affected individuals. Organisations must notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.

The EDPB template contains various fields that organisations either must, or can choose to, complete. There are 125 questions in total, “a considerable number for a template intended to ‘streamline’ the notification process”, according to Erskine.

The questions broadly align with what the GDPR specifies about the details that must be reported in respect of personal data breaches but go a step further in requiring additional explanation and detail about the breach experienced. Those details include the nature of the breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned, the name and contact details of the organisation’s data protection officer, the organisation’s assessment of the likely consequences of the personal data breach, and the measures it has taken or proposes to take to address the breach – including measures to mitigate its possible adverse effects.

Widmann said: “From a German perspective, the move towards a standardised notification template is generally welcome. In practice, organisations often need to engage with up to 16 different supervisory authorities in Germany, which may apply slightly different reporting formats. Greater harmonisation therefore has clear practical benefits.”

“That said, the proposed template is notably detailed and significantly more extensive than many of the templates currently used by German authorities. It runs to considerable length and, in parts, requires information that organisations will typically not yet have available within the initial 72-hour notification window – for example, in relation to the assessment of risks for data subjects or the need for communication to affected individuals,” he said.

“Overall, while the initiative is a step in the right direction, there remains scope to refine the template to better reflect the realities of time-critical incident response,” Widmann added.

The proposal should be viewed alongside other suggestions to streamline organisations’ obligations around the reporting of security and data breaches that arise across a suite of often overlapping EU regulations, as set out in the EU’s ‘omnibus’ proposals, Davey said: “While there are duties to notify personal data breaches under the GDPR, businesses should be cognisant of the fact that those incidents may also be reportable under other legal frameworks. In the EU, for instance, the NIS2 Directive requires certain cyber incidents to be notified to regulators. Depending on the circumstances of an incident, it could be notifiable under NIS2 as well as the GDPR.”

The new template is subject to an implementation process and a public consultation that runs until 5 August 2026.