European Data Protection Board Issues Guidelines On Data Breaches

• Published date: 05 February 2021
• Subject Matter: Privacy, Data Protection
• Law Firm: Frankfurt Kurnit Klein & Selz
• Author: Mr Elliott Siebers

On January 14, 2021, the European Data Protection Board ("EDPB") adopted Guidelines 01/2021 on Examples Regarding Data Breach Notification ("Guidelines"). The Guidelines complement prior guidelines issued by the Article 29 Working Party in October 2017; namely, the Guidelines on Personal Data Breach Notification under Regulation 2016/679, ("GDPR"), WP 250. The Guidelines are not yet final, pending a public comment period that concludes on March 7, 2021. While the final version of these Guidelines informed by public comments may vary slightly, they are not likely to change drastically from the current version as it draws on the experiences of European national supervisory authorities in responding to data breach notifications since the GDPR became effective.

The Guidelines compile case-based examples from the experiences of supervisory authorities with the aim of helping controllers, or organizations that decide how individuals' data gets processed, to better decide how to handle data breaches and what factors to consider in making risk assessments. There are a multitude of cases in the Guidelines, making it a practice-oriented resource for organizations to refer to when implementing or reviewing their own technical and organizational measures. The cases fall into the general categories of ransomware and data exfiltration attacks, as well as "internal" risks posed by employees, lost or stolen devices, social engineering attacks, and third-party relationships. As to each category, various examples are provided, together with an analysis of appropriate prior measures and risk assessment and mitigation and obligations. In most cases, organizational and technical measures for preventing/mitigating the impacts of the particular type of breach in question are also considered. (However, the EDPB notes that if the circumstances of actual incidents differ from the examples provided they may result in different risks, which may require alternative steps to be taken.)

The GDPR defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed." The GDPR also recognizes that the harm individuals may face as a result of a breach can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage...