The European Data Protection Board (EDPB) issued the draft Guidelines on Examples regarding data breach notification (01/2021), which supplements the older WP 29 guidance on data breach notifications from October 2017 and enriches it with more practical recommendations. The new draft EDPB Guidelines, which were open for consultation until 2 March, seek to provide data controllers with guidelines on how to deal with data breaches and what are the factors they should take into account when assessing the risk caused by a data breach, as this assessment in turn influences the need to notify the relevant Supervisory Authority and/or the affected individuals.
By utilising the experience that Supervisory Authorities have acquired since the introduction of the GDPR in May 2018, the EDPB outlines categories of common data breach cases, such as ransomware attacks, data exfiltration attacks, internal human risks, lost or stolen devices and paper documents, incorrect recipients of post or e-mail and social engineering (e.g. identity theft). For each of these categories, the Guidelines include examples of good and bad practices and prior measures that the controllers should put in place to prevent or mitigate the impact of the data breach, but also guidance on what should inform the risk assessment of data controllers should the breach happen.
Click here to read more.
