On January 18, 2021, the European Data Protection Board (“EDPB”) released draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “Guidelines”). The Guidelines complement the initial Guidelines on personal data breach notification under the EU General Data Protection Regulation (“GDPR”) adopted by the Article 29 Working Party in February 2018. The new draft Guidelines take into account supervisory authorities’ common experiences with data breaches since the GDPR became applicable in May 2018. The EDPB’s aim is to assist data controllers in deciding how to handle data breaches, including by identifying the factors that they must take into account when conducting risk assessments to determine whether a breach must be reported to relevant supervisory authorities and/or the affected data subjects.
The draft Guidelines include examples of common data breach scenarios, including (1) ransomware attacks, where a malicious code encrypts the personal data and the attacker subsequently asks the controller for a ransom in exchange for the decryption code; (2) data exfiltration attacks that exploit vulnerabilities in online services offered by the controller and typically aim at copying, exfiltrating and abusing personal data for malicious purposes; (3) human errors resulting in data breaches that, according to the EDPB, are fairly common and can be both intentional and unintentional; (4) lost or stolen devices and paper documents; (5) “mispostal” that arises from human error without malicious intent; and (6) social engineering, such as identity theft and email exfiltration.
For each of the example cases described in the Guidelines, the EPDB identifies the relevant reporting (i.e., supervisory authorities and/or affected data subjects) and remediation obligations.
In the Guidelines, the EDPB also recalls several key elements of data breach management and response that organizations should consider, including:
- proactively identifying system vulnerabilities to prevent data breaches from happening;
- assessing whether a breach is likely to result in a risk to the rights and freedoms of the data subject. This assessment should be made at the time the organization becomes aware of the breach. Controllers should not delay the notification by waiting for a detailed forensic examination and mitigation steps;
- implementing plans, procedures and guidelines (such as in the form of a handbook) on how to handle data breaches that have clear reporting lines and persons responsible for the recovery process;
- organizing trainings to raise awareness on data breach management. Training should take place regularly and be tailored to the controller’s processing and business activities. Training also should be updated to address the latest trends and alerts; and
- documenting breaches in each and every case, irrespective of the risk they pose.