GDPR Article 34-02: Maintain a Breach Register
A breach register is your critical documentation tool for GDPR compliance. It requires you to record all personal data breaches—whether notifiable or not—in a format that enables supervisory authorities to verify your compliance with Articles 33 and 34. Without a systematic breach register, you risk regulatory penalties and inability to demonstrate your breach management process.
What this means
GDPR Article 34-02 mandates that organizations maintain a comprehensive register documenting every personal data breach. This goes beyond just notifiable breaches; you must record all incidents involving unauthorized or accidental processing that compromises data security or integrity. The register serves as evidence to supervisory authorities that your organization has identified, assessed, and managed breaches according to GDPR requirements. This documentation enables regulators to verify your compliance with notification timelines, risk assessment procedures, and corrective actions.
How to comply
- 1.Create a centralized breach register template capturing: date of discovery, nature of breach, data categories affected, approximate number of individuals impacted, likely consequences, and measures taken
- 2.Document all breaches immediately upon discovery, including those not requiring notification to supervisory authorities or data subjects
- 3.Record breach assessment findings: whether notification was required, risk level determination, and justification for any decisions not to notify
- 4.Maintain breach register entries for a minimum of 3 years to demonstrate compliance history to authorities
- 5.Ensure register accessibility to your Data Protection Officer and authorized compliance personnel
- 6.Update register entries with remediation steps, investigation findings, and preventive measures implemented
- 7.Prepare register for supervisory authority review during compliance audits or investigations
Evidence auditors look for
- Breach register spreadsheet or database with timestamped entries for each incident
- Documentation of breach discovery date, notification decisions, and authority communications
- Records showing breach risk assessment methodology and notification threshold determinations
- Evidence of corrective and preventive actions taken in response to each documented breach
- Data retention policies confirming minimum 3-year retention of breach register entries
- Access logs showing who reviewed and updated breach register entries
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates breach register capture and maintenance, logging incidents in real-time, calculating notification thresholds automatically, and generating audit-ready documentation for supervisory authority reviews.
See how GRCWatch handles this control automatically
Start free trial