EDPB publishes final guidelines on breach notification
When should you notify the relevant authorities and data subjects, following a data breach?
The key takeaway
The EDPB's new guidelines provide “practice-oriented, case-based” guidance on when it is necessary to notify the relevant supervisory authorities. The guidelines demonstrate the large extent to which situations must be assessed on a case-by-case basis, the degree of variance in outcomes when effective preventative measures are (or are not) in place and the importance of taking the right mitigating actions whilst ensuring compliance with data protection regulations.
The background
The European Data Protection Board (EDPB) published its “Guidelines on Examples regarding Personal Data Breach Notification” (Guidelines). They aim to assist data controllers in deciding how to handle breaches by setting out factors to be considered during a risk assessment. They provide “practice-oriented, case-based” guidance on when it is necessary to notify the relevant supervisory authorities under Article 33(1) of the GDPR and/or data subjects under Article 34(1) of the GDPR, following a personal data breach.
The development
Although the EDPB has previously published guidance on personal data breach notifications, the latest Guidelines focus on practical examples and provide case studies which aim to offer additional reasoning as to the events that are likely to trigger Articles 33(1) and 34(1). They contain a wide range of examples, setting out each scenario with key variables such as the presence of an IT security system and/or the exfiltration of personal data. Using the examples as a vehicle for highlighting how the Guidelines should be interpreted, it is highlighted that controllers and processors should:
- have procedures in place for handling data breaches
- establish clear reporting lines and individuals responsible for aspects of the breach investigation and mitigation process
- conduct regular staff training and awareness on data protection issues, with a focus on personal data breach management and identification of data breach incidents, and
- incorporate breach response planning into each facet of the organisation’s data processing as part of the data protection by design principle.
Preventative measures that could have ensured a different outcome (had they been in place at the time of the incident) are taken into account, as well as the actions that data controllers could take to mitigate the impact of the incident and ensure compliance with regulatory obligations.
Why is this important?
The UK GDPR mirrors the European notification requirements and although EDPB guidelines are no longer directly relevant to the UK regime, the Information Commissioner’s Office confirmed they could still provide helpful guidance for UK organisations.
The Guidelines demonstrate the large extent to which situations must be assessed on a case-by-case basis, the degree of variance in outcomes when effective preventative measures are (or are not) in place and the importance of taking the right mitigating actions whilst ensuring compliance with data protection regulations.
Investing in preventative measures and effective risk assessment procedures is critical when compared to the consequences of a significant breach, remembering that breaches can lead to a large fine, potential compensation to data subjects and significant reputational damage.
Any practical tips?
Consider sharing the Guidelines with your IT and data security teams. The practical nature of the Guidelines should appeal to them, not least as examples are provided for: ransomware; data exfiltration attacks; internal human risk; lost or stolen devices and paper documents; mis-postal; and social engineering. As a quick, wider round-up:
- ensure your organisation reviews its operations for any data security vulnerabilities and takes measures to tackle them
- review internal procedures to ensure that they are adequately safeguarded and equipped to manage any personal data breaches that may arise
- ensure that clear guidelines are shared within the organisation on how to handle data breaches, including regular training to individuals involved in data processing
- document all data breaches to ensure compliance with the accountability principle.