In the case of a personal data breach, data controllers need to inform the supervisory authority “without undue delay” and within 72 hours unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals”.
If the nature of the breach presents a high risk to the rights and freedoms of individuals, then the data controller need to inform the data subjects (individuals). This communication needs to be understandable. The data controller need not inform the individuals affected if:
The breach notification needs to contain:
Be prepared for 25 May 2018.