European Data Protection Board issues guidelines on data breach notifications

Viewpoints
January 31, 2021
1 minutes

On 14 January 2021 the European Data Protection Board (EDPB) adopted Guidelines 01/2021 on Examples Regarding Data Breach Notification.  These are intended to complement the Guidelines on Personal Data Breach Notification under Regulation 2016/679, (GDPR), WP 250, which were produced by the Article 29 Working Party, (WP29) in October 2017.

The new Guidelines are intended to be practice-orientated, case-based guidance providing worked examples and suggested organisational and technical measures that may assist with prevention and mitigation in each case. Comments on the new Guidelines may be submitted until 2 March 2021.

The various examples of different kinds of personal data breaches described in the new Guidelines are fictitious, but are founded on the experiences of European national supervisory authorities (SAs) in relation to data breach notifications.  Various illustrations involving ransomware, data exfiltration attacks, internal human risk sources, lost or stolen devices or paper documents, mispostal issues and cases involving social engineering are considered.

In each case, various examples are provided, together with an analysis of appropriate prior measures and risk assessment and mitigation and obligations. Organisational and technical measures for preventing/mitigating the impacts of the particular type of breach in question are also explored.

The Guidelines should provide welcome guidance to data controllers in respect of various different types of personal data breaches, and the practical real-life examples should assist organisations that experience similar breaches.

The illustrations set out should help controllers to determine whether any personal data breaches that they suffer are serious enough to require notification to the relevant SAs and also any affected data subjects.  The Guidelines may be helpful both to organisations and the resource-constrained SAs in preventing over-reporting of personal data breaches.

It will be interesting to see what comments are received regarding the draft Guidelines and whether further details and examples will be included in the final version.

For further information click here for our full briefing.