EDPB Publishes Additional Guidelines on Data Breach Notification
Publication: ZRVP
The European Data Protection Board (“EDPB”) has recently adopted supplementary Guidelines on how controllers should handle data breaches. The Guidelines include 18 case studies based on EU data protection authorities’ collective experience, covering data breaches arising from ransomware, data exfiltration attacks, human errors or risks, loss of devices or documents, posting errors and social engineering.
As data breaches might cause irreversible effects, a defense mechanism should always be in place and well perceived by those to whom the GDPR is addressed. Whether such mechanisms should be defined as a set of plans or procedures for handling eventual data breaches, it is safe to say that the existence of a notification system to the supervisory authority is part of a well-structured incident response plan.
What is a personal data breach?
In addition to the explicit definition that GDPR provides, a data breach is understood as a “confidentiality breach” focusing on accidental disclosure or access to personal data, an “integrity breach” highlighting the undesirable effect of accidental alteration of such data or an “availability breach” that refers to loss of access or even destruction of personal data.
The meaning should be considered in connection to the key obligation imposed by the General Data Protection Regulation (the GDPR) referring to the need to set technical and organizational measures to ensure an appropriate level of security of personal data. Such protection should be envisaged against unauthorized or unlawful processing and against accidental loss, destruction or damage.
When should a data breach be notified?
As a general principle, the breach should be notified when it is likely to result in a risk to the rights and freedoms of the data subject. Since risk assessment is made by each controller, in practice there are many differences. Supervisory authorities have experienced over-reporting of potential data breaches, yet some of the more serious breaches have not been promptly reported.
The Guidelines aim at emphasizing slight differences of actual scenarios that could better explain when a data breach notification should rather be considered.
What are the different types of data breaches?
Some of the data breach scenarios included in the Guidelines refer to:
- ransomware attacks – when attackers ask for ransom to grant access to stolen data through a decryption code;
- data exfiltration attacks that aim at copying, exfiltrating and abusing personal data for malicious purposes;
- human errors resulting in data breaches which could be both intentional and unintentional;
- lost or stolen portable devices and paper documents is a scenario that stresses the need to priorly assess circumstances of the processing operation and thus ensure an appropriate level of security measures;
- “mispostal” that arises from human error only, often understood as failure to address intended information to a predeterminate consignee or
- social engineering, such as identity theft and email exfiltration.
The newly adopted scenario-based Guidelines aim at keeping the pace with landscape changes of cyber security and personal data breaches, coming as a support to both controllers and supervisory authorities.