DPC GDPR Breach Notification
Get Started with This SkillOverview
Breach notification and response under Ireland DPC and GDPR Art. 33–34: 72h to DPC, data subject communication for high risk, risk levels, form, and internal record.
Getting Started
Add your source materials to the project workspace, then activate the DPC GDPR Breach Notification skill. The agent will guide you through the process step by step.
Example conversation
You: We’ve just discovered a breach—some customer emails were sent to the wrong mailing list. We need to decide whether to notify the DPC and affected people, and if so, draft the notification. Can you help?
Agent: I’ll use the breach skill reference (72h rule, risk levels, DPC form). First I need: type of data exposed, number of people, whether it’s cross-border, and any mitigating factors. I’ll suggest a self-declared risk level (Severe/High/Medium/Low) and whether Art. 33 (notify DPC) and Art. 34 (notify individuals) apply. Then I’ll draft the risk assessment table and the key fields you’ll need for the DPC web form—without including any personal data in the draft.
Output excerpt
Breach risk assessment (excerpt)
| Item | Content |
|---|---|
| Brief description | Customer email addresses (approx. 200) sent to wrong mailing list due to misconfiguration. |
| Data exposed | Email addresses; no passwords or special categories. |
| Self-declared risk | Medium — impact possible but unlikely to be substantial; limited data; no vulnerable individuals identified. |
| Notify DPC? | Yes (risk present). Notify within 72h. |
| Notify data subjects? | Assess: if high risk, inform without undue delay. Current assessment: medium → document; consider individual notification if contact details were exposed. |
| Cross-border | No. |
Draft for DPC form: use subject line e.g. “New Breach Report, [Org Name], Medium Risk”. Do not include personal data of affected individuals in the notification.
Extension and validation
The skill includes a validate_breach_notification tool that checks your breach notification or internal record draft:
- Required content: Brief description of the breach, data exposed, self-declared risk level (Severe/High/Medium/Low), decision on DPC notification (and 72h), decision on data subject notification, and cross-border indication. Missing elements are reported as errors.
- Placeholders: Detects unfilled placeholders (e.g.
[ ... ],TBD,TODO) so you can complete the draft before submission. - Personal data: Warns if the text appears to contain personal data (e.g. email addresses or “Name: …” style lines). Do not include personal data of affected individuals in the DPC notification.
Run the tool on your draft and ensure no personal data is included in the text you submit to the DPC.