What is required of a data controller if a data breach occurs?

A data controller has specific obligations in the event of a data breach, primarily to ensure that relevant parties are informed promptly to mitigate potential harm. When a data breach occurs, one of the key requirements is to notify the relevant supervisory authority. This is a critical part of compliance with data protection regulations, such as the General Data Protection Regulation (GDPR) in Europe, which mandates that data controllers report breaches to a designated authority within a specified timeframe, typically 72 hours if feasible. This notification helps the authority to manage the situation, potentially intervening to protect affected individuals and assess the implications of the breach.

While there are other communication obligations that might be relevant depending on the severity of the breach, including informing the data processor, Parliament, or the general public, the primary legal requirement is indeed to inform the supervisory authority. This step is crucial for regulatory compliance and maintaining transparency in data governance.