How should data breaches be reported according to GDPR?

Reporting data breaches under the General Data Protection Regulation (GDPR) is a critical responsibility for organizations that process personal data. The correct approach is to notify the relevant Data Protection Authority within 72 hours if the breach is likely to result in a risk to the rights and freedoms of individuals. This requirement emphasizes the importance of prompt reporting in order to mitigate potential harm and ensure that data subjects can take any necessary precautions.

The 72-hour timeframe allows organizations to assess the breach and gather necessary information before making a report, while still prioritizing the urgency of the situation. This requirement stresses the accountability of data processors and controllers and enables regulatory authorities to act swiftly when necessary.

The other options misinterpret the reporting obligations under GDPR. While reporting within 24 hours might seem timely, it is not specified in the regulation. Reporting only if the breach affects data subjects' rights neglects the broader scope of obligation outlined by GDPR, which is concerned with all breaches reporting. Lastly, asserting that there is no requirement to report breaches contradicts the GDPR's adherence to transparency and accountability principles, making it critical for organizations to comply with established protocols.