On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here).  The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.

The Guidelines are currently open for public consultation until March 2, 2021.  In this blog post, we summarize a few key takeaways from the Guidelines.

The Guidelines reiterate at the outset that the GDPR establishes a low threshold for notifying personal data breaches to a supervisory authority.  Specifically, under Article 33 GDPR, a controller must notify a personal data breach to a competent supervisory authority (which must occur “without undue delay and, where feasible, not later than 72 hours after having become aware of it”) unless the data breach is “unlikely to result in a risk” (our emphasis) to individuals’ rights and freedoms.

By contrast, notifying a personal data breach to affected individuals under Article 34 GDPR (here, “without undue delay”) is required only if the breach is “likely to result in a high risk” (emphasis added) to individuals’ rights and freedoms.

The bar to notify supervisory authorities of a breach under the GDPR is therefore lower than to notify affected individuals; as such, Article 33 GDPR appears to make the obligation to notify the supervisory authority the rule.  The Guidelines also emphasize the obligation to keep internal records of breaches in each and every case – whether or not notification is required.

In short, Articles 33 and 34 of the GDPR require a data controller to, within a very short period of time, carefully assess the risk(s) of a particular incident and decide whether or not notification is required by law – a decision which may have far-reaching consequences.  The EDPB acknowledges that its existing Guidelines on personal data breach notification (available here) do “not address all practical issues in sufficient detail”.  As a result, the EDPB has expanded these Guidelines to include illustrative examples and more detailed recommendations, to serve as a practical resource to help organizations comply.  Some national supervisory authorities have also provided guidance and parameters in the meantime, in order to help organizations assess and qualify the risks associated with a data breach.  For example,  the conference of the German supervisory authorities (DSK) has published the so-called Kurzpapier 18 (available here), which describes the various steps organizations should take in the course of a risk assessment, including various risk allocations.

The EDPB’s draft Guidelines are divided into six sections with examples of the following types of personal data breaches:

  • ransomware attacks;
  • data exfiltration;
  • internal human-related risks;
  • lost or stolen devices and/or documents;
  • postal mail-related breaches; and
  • social engineering.

For each example, the EDPB methodically considers:

  • the measures put in place (if any) by the data controller to protect personal data and prevent a breach;
  • the circumstances surrounding the breach;
  • the resulting risk based on the above factors;
  • mitigating steps that should be taken by the controller; and
  • the controller’s ensuing obligations.

These case studies may serve as helpful benchmarks for organizations seeking greater clarity about the types of data incidents that meet the notification threshold, and those that do not.  The Guidelines provide only general guidance and do not obviate the need for a detailed analysis of each individual case.

The Guidelines are significant in that they give recommendations on specific types of technical and organizational measures that data controllers should consider implementing to prevent a personal data breach and reduce the severity of a breach.  These include measures to:

  • prevent/mitigate the impacts of ransomware attacks (e.g., by forwarding or replicating all logs to a central log server, possibly including the signing or cryptographic time-stamping of log entries); and
  • prevent/mitigate credential-stuffing attacks (e.g., by ensuring there are strong user privileges and access controls in place).  The Guidelines’ emphasis on strong access controls notably echoes the advice of the UK Information Commissioner’s Office when it announced a recent fine against Marriott International in relation to a major data breach.

Finally, the Guidelines stress the need for organizations to adequately prepare for personal data breaches well in advance.  They state that “[e]very controller should have plans [and] procedures in place for handling eventual data breaches… [as well as] clear reporting lines and persons responsible for certain aspects of the recovery process.”  The Guidelines call on organizations to implement an incident response plan, a disaster recovery plan, a business continuity plan, and a “Handbook on Handling a Personal Data Breach” to train, educate and raise awareness among employees.

Tags: breach notification, EDPB, General Data Protection Regulation (GDPR), Guidelines of EDPB
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
Advising life sciences companies on industry-specific data privacy issues, including:

clinical trials and pharmacovigilance;
digital health products and services; and
engagement with healthcare professionals and marketing programs.

International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:

supervising technical investigations and providing updates to company boards and leaders;
advising on PR and related legal risks following an incident;
engaging with law enforcement and government agencies; and
advising on notification obligations and other legal risks, and representing clients before regulators around the world.

Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, cloud-services, digitalization/ industry 4.0, IT related bank regulatory matters, IT-compliance, incl. cybersecurity and data protection.

Furthermore, Lars is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law.

Read more about Lars LensdorfEmail
Show more Show less
Photo of Nicholas Shepherd Nicholas Shepherd

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national…

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing laws, EU/UK direct marketing laws, emerging state privacy laws in the United States, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border data transfers, data breach response, artificial intelligence, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements on transparency, consent, lawful processing, data sharing, and related issues.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick now leverages his multi-faceted legal background and international experience from the U.S. to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Read more about Nicholas ShepherdEmail
Show more Show less