On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here). The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.
The Guidelines are currently open for public consultation until March 2, 2021. In this blog post, we summarize a few key takeaways from the Guidelines.
The Guidelines reiterate at the outset that the GDPR establishes a low threshold for notifying personal data breaches to a supervisory authority. Specifically, under Article 33 GDPR, a controller must notify a personal data breach to a competent supervisory authority (which must occur “without undue delay and, where feasible, not later than 72 hours after having become aware of it”) unless the data breach is “unlikely to result in a risk” (our emphasis) to individuals’ rights and freedoms.
By contrast, notifying a personal data breach to affected individuals under Article 34 GDPR (here, “without undue delay”) is required only if the breach is “likely to result in a high risk” (emphasis added) to individuals’ rights and freedoms.
The bar to notify supervisory authorities of a breach under the GDPR is therefore lower than to notify affected individuals; as such, Article 33 GDPR appears to make the obligation to notify the supervisory authority the rule. The Guidelines also emphasize the obligation to keep internal records of breaches in each and every case – whether or not notification is required.
In short, Articles 33 and 34 of the GDPR require a data controller to, within a very short period of time, carefully assess the risk(s) of a particular incident and decide whether or not notification is required by law – a decision which may have far-reaching consequences. The EDPB acknowledges that its existing Guidelines on personal data breach notification (available here) do “not address all practical issues in sufficient detail”. As a result, the EDPB has expanded these Guidelines to include illustrative examples and more detailed recommendations, to serve as a practical resource to help organizations comply. Some national supervisory authorities have also provided guidance and parameters in the meantime, in order to help organizations assess and qualify the risks associated with a data breach. For example, the conference of the German supervisory authorities (DSK) has published the so-called Kurzpapier 18 (available here), which describes the various steps organizations should take in the course of a risk assessment, including various risk allocations.
The EDPB’s draft Guidelines are divided into six sections with examples of the following types of personal data breaches:
- ransomware attacks;
- data exfiltration;
- internal human-related risks;
- lost or stolen devices and/or documents;
- postal mail-related breaches; and
- social engineering.
For each example, the EDPB methodically considers:
- the measures put in place (if any) by the data controller to protect personal data and prevent a breach;
- the circumstances surrounding the breach;
- the resulting risk based on the above factors;
- mitigating steps that should be taken by the controller; and
- the controller’s ensuing obligations.
These case studies may serve as helpful benchmarks for organizations seeking greater clarity about the types of data incidents that meet the notification threshold, and those that do not. The Guidelines provide only general guidance and do not obviate the need for a detailed analysis of each individual case.
The Guidelines are significant in that they give recommendations on specific types of technical and organizational measures that data controllers should consider implementing to prevent a personal data breach and reduce the severity of a breach. These include measures to:
- prevent/mitigate the impacts of ransomware attacks (e.g., by forwarding or replicating all logs to a central log server, possibly including the signing or cryptographic time-stamping of log entries); and
- prevent/mitigate credential-stuffing attacks (e.g., by ensuring there are strong user privileges and access controls in place). The Guidelines’ emphasis on strong access controls notably echoes the advice of the UK Information Commissioner’s Office when it announced a recent fine against Marriott International in relation to a major data breach.
Finally, the Guidelines stress the need for organizations to adequately prepare for personal data breaches well in advance. They state that “[e]very controller should have plans [and] procedures in place for handling eventual data breaches… [as well as] clear reporting lines and persons responsible for certain aspects of the recovery process.” The Guidelines call on organizations to implement an incident response plan, a disaster recovery plan, a business continuity plan, and a “Handbook on Handling a Personal Data Breach” to train, educate and raise awareness among employees.