Communication of Personal Data Breach to the Data Subject
Description
When a personal data breach is likely to result in high risk to data subjects, the controller shall communicate the breach to data subjects without undue delay.
⚠️ Risk Impact
Subject notification is required when 'high risk' to rights/freedoms. Risk assessment must be documented; defaulting to non-notification without documentation produces enforcement.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Risk-of-harm assessment per breach. Templates for subject notification. Mass-notification capability. Document rationale for non-notification when applicable.
💀 Real-World Attack Scenario
A company experienced a breach affecting 2M EU users. Risk assessment determined 'low harm' due to encryption — but assessment wasn't documented. DPA disagreed with the determination + ordered full notification + €4.5M fine for late + insufficient notification.
💰 Cost of Non-Compliance
Article 34 violations: up to €10M / 2% revenue.
📋 Audit Questions
- 1.Risk-of-harm assessment template?
- 2.Subject notification templates?
- 3.Mass-notification capability?
- 4.Non-notification rationale?
⚡ Common Pitfalls
- ⛔Non-notification without documented rationale
- ⛔Notification content missing required elements
- ⛔Mass-notification capability untested
📈 Business Value
Compliant subject notification preserves customer trust + ensures DPA defensibility.
⏱️ Effort Estimate
Templates + per-breach assessment
EchelonGraph supports breach-notification workflow
🔗 Cross-Framework References
Automate GDPR Art34 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →