The European Data Protection Board (EDPB) has launched a public consultation on its guidelines 01/2021 regarding data breach notification.
The new guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches by highlighting examples on data breach notification. Whilst some guidance on data breach notification was already available, issued by the Article 29 Working Party in October 2017, the EDPB recognises a need has arisen for a practice-oriented, case-based guidance.
The new guidance reflects the common experiences gained by EEA member states’ supervisory authorities since the General Data Protection Regulation (GDPR) became applicable. The document is intended to complement the 2017 guidelines (Guidelines on Personal Data Breach Notification under Regulation 2016/679, WP250).
The new guidelines will be a useful addition to the toolkit for those responsible for data breach prevention, data breach handling and management, and data breach recognition and prevention training. Articles 33 and 34 of the GDPR require a data controller to, within a very short period of time, carefully assess the risks of a particular incident and decide whether or not notification is required by law.
The guidelines detail 18 example scenarios covering ransomware attacks with varying degrees of severity of risk, data exfiltration attacks, human error incident, lost or stolen devices, postal mail breaches and social engineering, with the goal of providing assistance to data controllers assessing their own data breaches.
Following a detailed risk analysis and assessment for each scenario, there follows a quick reference tick list highlighting reporting actions necessary based on the identified risks. Lists of advisable measures are included and the guidelines also aim to provide prevention ideas and possible solutions, although these are not intended to be exclusive or comprehensive given every processing activity is different.