General Data Protection Regulation Guidance on Personal Data Breach Notification

Today the Gibraltar Regulatory Authority (“GRA”), as the Information Commissioner (the “Commissioner”), has published a guidance note on the European Union’s General Data Protection Regulation (“GDPR”) and Gibraltar’s Data Protection Act 2004 (“DPA”).

The GDPR requires organisations that process personal data to notify the Commissioner of a personal data breach within 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. In some cases, organisations will also be required to communicate a data breach to individuals whose personal data have been affected by the data breach.

This guidance note aims to provide organisations with advice on the GDPR’s data breach notification requirements. The guidance includes examples to assist organisations determine whether they need to notify a personal data breach, a flowchart that illustrates the notification requirements under the GDPR and a data breach notification form for organisations to use when reporting a breach. The guidance note is available on the data protection section of the GRA’s website –

The GRA is the nominated authority responsible for the enforcement of data protection law in Gibraltar and carries out the functions assigned to it to uphold the rights of individuals and their privacy. As part of his efforts to promote data protection compliance and good practice, the Commissioner issues guidance notes aimed at helping organisations improve their data protection practices and comply with the law.

For further information please contact the Information Rights Division of the GRA on +350 200 74636 or email