New guidelines on examples regarding data breach notification

New guidelines on examples regarding data breach notification

On 14 January 2021, the European Data Protection Board (EDPB) published a set of draft guidelines on examples regarding data breach notifications under Article 33 of the General Data Protection Regulation (GDPR) (the Draft Guidelines). Once the public consultation period ends on 2 March 2021, these guidelines may be adopted – until then, the guidelines might still evolve. Several cases of data breaches are detailed in a practical and helpful way.

Article 4(12) GDPR provides that a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Article 33 GDPR provides that the controller must notify the competent national supervisory authority – in Luxembourg, the National Data Protection Commission (CNPD) - , of a personal data breach within 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In addition, when the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the data subjects without undue delay.

Previous guidelines had already been adopted on the protection of individuals with regard to the processing of personal data on 6 February 2018. However, these guidelines pre-dated the GDPR, and a more practical, case-by-case guidance, leveraging on the experience acquired since the entry into effect of the GDPR, was eagerly awaited to handle data breaches more effectively and to assist data controllers in their risk assessments.

To assist controllers in the assessment and handling of potential data breaches, the Draft Guidelines go through several cases based on typical facts sourced from the supervisory authorities’ collective experience with data breach notifications.

The Draft Guidelines lists 18 cases, categorized in six themes: ransomwares, data exfiltration attacks, internal human risk sources, lost or stolen devices and paper documents, mispostal, and social engineering such as email exfiltration.

The Draft Guidelines set out the measures, risk assessment, mitigation and obligations for each situation. Guidance is also provided regarding organizational and technical measures for preventing and mitigating the impacts of the potential attacks.

DLA Piper can assist clients in avoiding and handling data breaches in accordance with the GDPR.