In what form should the breach register be maintained? Is there a template for such a register?

ANSWER

Art. 33(5) GDPR, which provides for the requirement to document personal data breaches, does not specify any particular form in which the breach register is to be maintained. In the author's view, the most practical solution remains maintaining the register in electronic form in a way that allows easy updating of the document and, if necessary, its transmission or printing for representatives of the supervisory authority.

Regarding the scope of the register, guidance can be found in the Article 29 Working Party guidelines (WP 250).

In accordance with that document: "Although the controller determines the methods and structure of documenting breaches, in all cases certain key elements of the recorded information must be included. Pursuant to Art. 33(5), the controller is required to record detailed information about the breach, which includes its causes, the sequence of events, and the scope of personal data affected by the breach. These should also include the effects and consequences of the breach, taking into account the remedial measures taken by the controller." It may also be helpful to include in the register information as to whether a specific event was reported to the supervisory authority and whether affected data subjects were notified of the breach.