European Data Protection Board (EDPB) issues draft guidelines for data breach notification
What more could be done to aid data controllers in responding to personal data breaches and the practical considerations they face while operating under the General Data Protection Regulation (GDPR)?
The key takeaway
The EDPB “Guidelines 01/2021 on Examples regarding Data Breach Notification” (Draft Guidelines) are intended to be used by data controllers in conjunction with their pre-existing tool kit to effectively manage and prevent data protection breaches. These new Draft Guidelines are not intended to serve as a comprehensive list of recommended actions, as every incident requires its own assessment and appropriate actions.
The EDPB accepted that the guidelines on personal data breach, produced by the former EDPB Article 29 Working Party, lacked adequate detail and provided little by way of practical considerations. In response, the EDPB has published its Draft Guidelines to provide data controllers new guidance on how to better handle prevent, understand and respond to data breaches.
The Draft Guidelines outline six categories of data breaches with example cases as listed below. Many of these examples refer to “data exfiltration”, which essentially means a form of security breach (often using malware) when an individual or company’s data is copied, transferred or retrieved from a computer or server without authorisation.
- Ransomware with proper backup and without exfiltration (Case No.01)
- Ransomware without proper backup (Case No.02)
- Ransomware with backup and without exfiltration in a hospital (Case No.03)
- Ransomware without backup and with exfiltration (Case No.04)
- Data exfiltration attack
- Exfiltration of job application data from a website (Case No.05)
- Exfiltration of hashed password from a website (Case No.06)
- Credential stuffing attack on a banking website (Case No.07)
- Internal human risk
- Exfiltration of business data by a former employee (Case No.08)
- Accidental transmission of data to a trusted third party (Case No.09)
- Lost or stolen devices or paper documents
- Stolen material storing encrypted personal data (Case No.10)
- Stolen material storing non- encrypted personal data (Case No.11)
- Stolen paper files with sensitive data (Case No.12)
- Snail mail mistake – sending of incorrect packing bills with goods to customers (Case No.13)
- Sensitive personal data sent by mail by mistake (Case No.14)
- Personal data sent by mail by mistake (Case No.15)
- Snail mail mistake – sending of two different insurance summaries to one recipient (Case No. 16)
- Social engineering
- Identity theft (Case No.17)
- Email exfiltration (Case No.18)
The example cases within the categories highlight the practice-based focus of the Draft Guidelines and further serves to provide data controllers with a wide-ranging list of forms data breaches can take.
Each case in the Draft Guidelines is broken down into two sections:
- Prior measures and risk assessment
– this section looks at reducing the overall likelihood of data breaches occurring whilst providing guidance on how to assess the risks from a breach. It cites examples such as implementing proper patch management, the use of appropriate anti-malware detection systems, proper and separate backup systems and providing employee training (SETA program).
- Mitigation and obligations
– this section is concerned with mitigating the damage caused by the data breach and the resultant obligations on the data controller. It suggests carrying out an impact assessment, ensuring there is an incident response process, documenting all data breaches in accordance with Article 33(5) and knowing when an obligation to communicate with the data subject arises.
Why is this important?
The previous EDPB guidelines were more theoretical than practical, and the practice- based, example-driven approach of the new Draft Guidelines should be welcomed. They provide greater clarity and concrete guidance for both the prevention and mitigation of data breaches.
Any practical tips?
The UK is of course no longer a member of the EU, but the GDPR remains at the core of data protection law in the UK and, although the ICO has final
authority on these issues, it is highly unlikely the ICO will deviate from the EDPB’s Draft Guidelines. Either way, the categorisation and recommendations in the Draft Guidelines should certainly be welcomed by data controllers in the UK.