Breach Notification

Tayra provides a breach assessment and notification service that helps you comply with GDPR Article 33 (notification to the supervisory authority) and Article 34 (communication to the data subject). The service analyzes the scope of a breach by querying the key store and generates structured notification reports.

GDPR Requirements

Article 33 requires you to notify the supervisory authority (DPA) within 72 hours of becoming aware of a personal data breach. The notification must include:

• The nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of personal data records affected
• Likely consequences
• Measures taken or proposed to address the breach

Article 34 requires you to communicate the breach to affected data subjects "without undue delay" when the breach is likely to result in a high risk to their rights and freedoms.

Setup

Package Requirement

This feature requires the Tayra.Compliance package and a Compliance edition license. Data protection itself is handled by Tayra.Core — this package provides the reporting tooling.

dotnet add package Tayra.Compliance

Register the compliance services:

// Register breach notification services
var breachServices = new ServiceCollection();
breachServices.AddTayra(opts => opts.LicenseKey = licenseKey)
    .AddCompliance(complianceOpts => { });

^anchor

This registers ITayraCompliance, which includes breach notification alongside PII inventory, data subject access, and compliance reports.

INFO

.AddCompliance() chains onto AddTayra() and depends on the key store and metadata cache registered by the core.

Describing a Breach

Create a BreachDetails object with the incident information:

// Describe the breach incident
var breachDetails = new BreachDetails
{
    DiscoveredAt = DateTimeOffset.UtcNow,
    Description = "Unauthorized access to customer database backup",
    AffectedKeyPrefixes = ["cust-"],
    BreachType = BreachType.Confidentiality,
};

^anchor

BreachDetails Properties

Property	Type	Description
DiscoveredAt	DateTimeOffset	When the breach was discovered
Description	string	Description of the incident
AffectedKeyPrefixes	IReadOnlyList<string>	Key prefixes that may be affected (used to query the key store)
BreachType	BreachType	The type of breach: Confidentiality, Integrity, or Availability

Breach Types

Type	Description
Confidentiality	Unauthorized access to or disclosure of personal data
Integrity	Unauthorized alteration of personal data
Availability	Loss of access to or destruction of personal data

Assessing Impact

Use AssessBreachImpactAsync to determine the scope of the breach:

// Assess the impact of the breach
var impactReport = await breachCompliance.AssessBreachAsync(breachDetails);

Console.WriteLine($"Affected subjects: {impactReport.AffectedSubjectCount}");
Console.WriteLine($"Affected keys: {impactReport.AffectedKeyIds.Count}");
Console.WriteLine($"Severity: {impactReport.Severity}");
Console.WriteLine($"Affected entity types: {string.Join(", ", impactReport.AffectedEntityTypes)}");

^anchor

The service queries the key store for all keys matching the affected prefixes, counts unique data subjects, and assesses the severity.

Impact Severity Levels

Severity is determined by the number of affected subjects and the breach type:

Subject Count	Base Severity	With Confidentiality Escalation
0	Low	Medium
1 -- 100	Medium	High
101 -- 1,000	High	Critical
1,001+	Critical	Critical

Confidentiality breaches are automatically escalated by one severity level because unauthorized disclosure carries the highest risk to data subjects.

BreachImpactReport Properties

Property	Type	Description
AssessedAt	DateTimeOffset	When the assessment was performed
BreachDetails	BreachDetails	The original breach details
AffectedSubjectCount	int	Number of unique data subjects affected
AffectedKeyIds	IReadOnlyList<string>	All key IDs matching the affected prefixes
AffectedEntityTypes	IReadOnlyList<string>	Entity type names with registered personal data fields
Severity	BreachSeverity	Assessed severity: Low, Medium, High, or Critical

Generating Notification Reports

Use GenerateNotificationReportAsync to produce a structured notification report:

// Generate the GDPR Art. 33/34 notification report
var notificationReport = await breachCompliance.GenerateBreachReportAsync(impactReport);

Console.WriteLine($"DPA notification deadline: {notificationReport.DpaNotificationDeadline}");
Console.WriteLine($"Is overdue: {notificationReport.IsOverdue}");
Console.WriteLine($"Subject notification required: {notificationReport.SubjectNotificationRequired}");

// DPA notification content (Art. 33)
Console.WriteLine($"\nDPA Notification:");
Console.WriteLine($"  Nature: {notificationReport.DpaNotification.NatureOfBreach}");
Console.WriteLine($"  Subjects: {notificationReport.DpaNotification.AffectedSubjectsSummary}");
Console.WriteLine($"  Data: {notificationReport.DpaNotification.AffectedDataSummary}");
Console.WriteLine($"  Consequences: {notificationReport.DpaNotification.LikelyConsequences}");
Console.WriteLine($"  Measures: {notificationReport.DpaNotification.MeasuresTaken}");

// Subject notification content (Art. 34)
Console.WriteLine($"\nSubject Notification:");
Console.WriteLine($"  Description: {notificationReport.SubjectNotification.Description}");
Console.WriteLine($"  Actions: {notificationReport.SubjectNotification.RecommendedActions}");

^anchor

Report Structure

The BreachNotificationReport contains two sections:

DPA Notification (Art. 33) — Content for the supervisory authority:

• Nature of breach
• Affected subjects summary
• Affected data summary
• Likely consequences
• Measures taken

Subject Notification (Art. 34) — Content for affected data subjects:

• Clear description of what happened
• Recommended protective actions

The report also includes:

• DpaNotificationDeadline — 72 hours from DiscoveredAt
• IsOverdue — Whether the deadline has passed
• SubjectNotificationRequired — true when severity is High or Critical

Workflow

A typical breach response workflow with Tayra:

1. Detect the breach and record DiscoveredAt.
2. Assess the impact using AssessBreachImpactAsync.
3. Generate the notification report using GenerateNotificationReportAsync.
4. Notify the DPA within the 72-hour deadline using the DpaNotification content.
5. Notify data subjects if SubjectNotificationRequired is true.
6. Mitigate — Rotate or shred affected keys to limit further exposure.

WARNING

The 72-hour notification deadline starts from when you become aware of the breach, not from when it occurred. The IsOverdue property on the report checks against the current time.

See Also

• Crypto-Shredding — Shred affected keys to mitigate a breach
• Key Rotation — Rotate keys after a breach to limit exposure
• Data Subject Access — Export data to understand what was affected