On Monday, 3 January 2022, the European Data Protection Board (“EDPB”) published the finalized version of its regulatory guidance entitled “Examples regarding Personal Data Breach Notification” (the “Guidelines”), following a public consultation on a draft set of guidelines in 2021. The finalized Guidelines are a practice-oriented, and case-based set of examples that leverage the experiences gained by EU Supervisory Authorities since the EU GDPR became applicable.
The Guidelines build on and complement the Guidelines on Personal data breach notification under Regulation 2016/679 published by the Article 29 Working Party (the “WP29” – the predecessor to the EDPB) in 2018 and subsequently endorsed by the EDPB. That document provides more general guidance on the EU GDPR’s personal data breach provisions, including on the controller’s obligations to:
- Document any personal data breach, including its facts, effects and the remedial action taken;
- Notify personal data breaches to the competent Supervisory Authority (unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons); and
- Communicate personal data breaches to affected data subjects (when the breach is likely to result in a high risk to the rights and freedoms of natural persons.
However, the EDPB considers that the WP29’s guidelines did not address all practical issues in sufficient detail. The new Guidelines therefore go a step further by setting out 18 different case-studies together with the EDPB’s analysis of the specific facts, with the aim of providing assistance for controllers when assessing their own personal data breaches. The EDPB’s case-studies cover:
- An assessment of the prior measures which the controller had (or should have) implemented to mitigate the risk;
- Information about the risk assessment to be carried out by the controller in light of the facts of the case-study;
- Examples of the mitigating facts, or mitigating actions that the controller could take to limit risks to data subjects;
- A summary of the requirements that the EDPB would typically consider to be triggered under the EU GDPR based on the risks identified, e.g., whether the controller should: (a) document the personal data breach; (b) notify it to the competent Supervisory Authority; and (c) communicate it to affected data subjects.
The Guidelines gather the case-studies into categories of commonly-encountered scenarios:
- Ransomware incidents;
- Data exfiltration attacks;
- Personal data breaches arising from internal human risk sources (e.g., exfiltration of business data by an employee);
- Lost or stolen devices and paper documents;
- Postal mistakes; and
- Personal data breaches arising as a result of social engineering.
Given the EU GDPR’s strict personal data breach reporting requirements (including a requirement for controllers to notify the Supervisory Authority of relevant personal data breaches without undue delay i.e., in principle within 72 hours), the new Guidelines are likely to be a key part of any controller’s data security incident response toolbox.
The Guidance can be found here.