OneTrust Certified Privacy Professional Practice Exam

Under GDPR, what must companies do if there's a data breach affecting individuals' rights and freedoms?

• A. Notify affected individuals without delay
• B. Only notify them if they request information
• C. Publish a public statement
• D. Do nothing if it's less than 72 hours

The correct answer is: Notify affected individuals without delay

Under GDPR, when a data breach occurs that poses a risk to individuals' rights and freedoms, it is mandatory for companies to notify the affected individuals without delay. This requirement is rooted in the fundamental principle of transparency that underlies GDPR. By promptly informing individuals about the breach, companies enable them to take necessary steps to protect themselves, such as changing passwords or monitoring accounts for suspicious activity. This requirement emphasizes the significance of individuals' ability to manage and mitigate risks related to their personal data. Thus, notifying affected individuals promptly not only fulfills legal obligations but also fosters trust between organizations and their customers. It ensures that individuals are aware of potential risks and can take informed actions to protect their personal information. The other options do not align with the regulatory requirements set forth by GDPR. For instance, notifying individuals only upon request undermines the proactive nature of the regulation, while publishing a public statement may not necessarily reach all affected parties directly. Additionally, the notion of doing nothing if the breach occurs within a certain timeframe contradicts the requirement for immediate notification, reflecting an incorrect understanding of the data protection principles enshrined in GDPR.