Personal Data Breach Reporting
Reporting Personal Data Breaches
Personal Data (PD) Breach Reporting obligations are a critical part of the DIFC Data Protection Law 2020 (DP Law 2020) and many data protection laws like it around the world.
Making an honest, objective assessment of a breach, whether to report it and then, where necessary, reporting it are all valuable parts of the security and risk evaluation process of a company. It also shows transparency and willingness of an organisation to do the right thing by self-reporting to any relevant regulators and even to individuals, if needed.
PLEASE NOTE: To report strictly IT-related security breaches, please refer to the Information Security page of the DIFC website and use the tool available there to report. It may be required to report a Personal Data breach as well as an IT / IS breach. Please determine the requirements accordingly.
Should I Notify the Commissioner of a Personal Data or Security Breach?
The DP Law 2020 Article 41 / 42 Personal Data Breach Self-Assessment is for organisations and businesses to determine whether perceived Personal Data breaches are notifiable and report them to us.
If your organisation has possibly suffered a Personal Data breach that is likely to cause anyone serious harm, you are legally required to notify us, possibly other DP regulators, and you may also be required to notify affected individuals without undue delay.
If you have already determined that a PD or security at your organisation is notifiable, or wish to notify us in any case, please complete the Breach Reporting Form below.
Here is a checklist of what information is required.
Submit a Personal Data Breach Report
Reporting a Personal Data breach is an important part of accountability and transparency, and in certain instances, it is a requirement under the DP Law 2020, Articles 41 and 42. If you have determined that your organization has suffered such a breach that is reportable to the DIFC Commissioner of Data Protection, please do so using this form. Note that it will be submitted to the DIFC Portal for notification to the Commissioner through case management.
If you determine that you are required under Article 42 to notify an individual data subject whose Personal Data is involved in the breach, please do so separately as this form will not be shared with or reported to data subjects by the Commissioner's Office.
If you need to update a Personal Data breach report you previously submitted to us, you can:
Email your update to: firstname.lastname@example.org
Or access your previous service request in the DIFC Client Portal.