On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here).  The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.

The Guidelines are currently open for public consultation until March 2, 2021.  In this blog post, we summarize a few key takeaways from the Guidelines.

The Guidelines reiterate at the outset that the GDPR establishes a low threshold for notifying personal data breaches to a supervisory authority.  Specifically, under Article 33 GDPR, a controller must notify a personal data breach to a competent supervisory authority (which must occur “without undue delay and, where feasible, not later than 72 hours after having become aware of it”) unless the data breach is “unlikely to result in a risk” (our emphasis) to individuals’ rights and freedoms.

By contrast, notifying a personal data breach to affected individuals under Article 34 GDPR (here, “without undue delay”) is required only if the breach is “likely to result in a high risk” (emphasis added) to individuals’ rights and freedoms.

The bar to notify supervisory authorities of a breach under the GDPR is therefore lower than to notify affected individuals; as such, Article 33 GDPR appears to make the obligation to notify the supervisory authority the rule.  The Guidelines also emphasize the obligation to keep internal records of breaches in each and every case – whether or not notification is required.

In short, Articles 33 and 34 of the GDPR require a data controller to, within a very short period of time, carefully assess the risk(s) of a particular incident and decide whether or not notification is required by law – a decision which may have far-reaching consequences.  The EDPB acknowledges that its existing Guidelines on personal data breach notification (available here) do “not address all practical issues in sufficient detail”.  As a result, the EDPB has expanded these Guidelines to include illustrative examples and more detailed recommendations, to serve as a practical resource to help organizations comply.  Some national supervisory authorities have also provided guidance and parameters in the meantime, in order to help organizations assess and qualify the risks associated with a data breach.  For example,  the conference of the German supervisory authorities (DSK) has published the so-called Kurzpapier 18 (available here), which describes the various steps organizations should take in the course of a risk assessment, including various risk allocations.

The EDPB’s draft Guidelines are divided into six sections with examples of the following types of personal data breaches:

  • ransomware attacks;
  • data exfiltration;
  • internal human-related risks;
  • lost or stolen devices and/or documents;
  • postal mail-related breaches; and
  • social engineering.

For each example, the EDPB methodically considers:

  • the measures put in place (if any) by the data controller to protect personal data and prevent a breach;
  • the circumstances surrounding the breach;
  • the resulting risk based on the above factors;
  • mitigating steps that should be taken by the controller; and
  • the controller’s ensuing obligations.

These case studies may serve as helpful benchmarks for organizations seeking greater clarity about the types of data incidents that meet the notification threshold, and those that do not.  The Guidelines provide only general guidance and do not obviate the need for a detailed analysis of each individual case.

The Guidelines are significant in that they give recommendations on specific types of technical and organizational measures that data controllers should consider implementing to prevent a personal data breach and reduce the severity of a breach.  These include measures to:

  • prevent/mitigate the impacts of ransomware attacks (e.g., by forwarding or replicating all logs to a central log server, possibly including the signing or cryptographic time-stamping of log entries); and
  • prevent/mitigate credential-stuffing attacks (e.g., by ensuring there are strong user privileges and access controls in place).  The Guidelines’ emphasis on strong access controls notably echoes the advice of the UK Information Commissioner’s Office when it announced a recent fine against Marriott International in relation to a major data breach.

Finally, the Guidelines stress the need for organizations to adequately prepare for personal data breaches well in advance.  They state that “[e]very controller should have plans [and] procedures in place for handling eventual data breaches… [as well as] clear reporting lines and persons responsible for certain aspects of the recovery process.”  The Guidelines call on organizations to implement an incident response plan, a disaster recovery plan, a business continuity plan, and a “Handbook on Handling a Personal Data Breach” to train, educate and raise awareness among employees.

Print:
EmailTweetLikeLinkedIn
Photo of Mark Young Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He…

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.