On March 2, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on examples regarding data breach notification (the “Guidelines”). The Guidelines were adopted on January 14, 2021 for public consultation.
The EDPB’s Guidelines are intended to provide concrete personal data breach use cases and recommendations to help organizations (1) implement relevant technical and organizational measures; (2) understand the risk factors to consider when assessing data breaches; and (3) decide whether notification to the supervisory authority (“SA”) or affected individuals is necessary.
CIPL welcomes the Guidelines which come at a time at which cyber attacks are surging as a result of the move to remote working triggered by the COVID-19 crisis, and should help organizations avoid over-reporting.
CIPL provides comments on the particular use cases contained in the Guidelines, as well as key recommendations to the EDPB, in order to better align with the reality faced by organizations when handling data breaches. These are to:
- Clarify the relationship between the Guidelines and earlier Working Party 29 Guidelines on Personal data breach notification under the EU General Data Protection Regulation (“GDPR”);
- Acknowledge the GDPR risk-based approach to security;
- Avoid suggesting that data breaches can be prevented easily through organizational and technical measures without taking into account the specific context of each organization and the breach;
- Not conclude that a data breach is indicative of defective organizational measures;
- Clarify that a risk assessment covers an analysis of the likelihood and severity of the risks to the rights and freedoms of individuals;
- Avoid relying on the number of potentially affected individuals to determine whether notification is required;
- Provide that the risk analysis should be conducted reasonably, considering the state of technology at the time of the breach, and exclude mere speculative considerations or remote possibilities of the risk materializing;
- Take into account that global and sophisticated incidents may be more difficult to identify and may result in longer timelines with regard to communication to appropriate internal channels;
- Clarify how organizations can balance a short notification deadline with the need to perform due diligence and implement remedial actions in more complex scenarios; and
- Avoid setting thresholds too low for notifying regulators and individuals.
Download CIPL’s full response to the consultation.