The EU General Data Protection Regulation (GDPR) obliges organisations to notify a data breach to the competent supervisory authority and – subject to certain circumstances – inform the affected individuals.
On 18 January 2021, the European Data Protection Board (EDPB) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification to help data controllers decide how to handle data breaches and what factors to consider in the context of related risk assessments. (This complements the October 2017 guidance on data breach notifications published by the Article 29 Working Party, the EDPB’s predecessor.)
The EDPB guidelines aim to shed some light on ‘an inventory of data breach notification cases deemed most common by the national supervisory authorities’ and the EDPB’s interpretation of controllers’ notification obligations.
Notification in a timely manner
In its guidance, the EDPB urges data controllers (and data processors) to abandon the widely held ‘analyse and evaluate’ attitude and instead notify the competent supervisory authority as soon as possible: ‘The controller should not wait for a detailed forensic examination and (early) mitigation steps before assessing whether or not the data breach is likely to result in a risk and thus should be notified.’
However, if there are indications of a data breach, it is very important to identify the cause of the breach and prevent further damage by ‘eliminating’ this cause.
The EDPB guidance goes on to offer advice on how to comply with GDPR requirements and handle potential data breaches in a swift and timely manner. It presents 18 ‘practice oriented’ examples to help controllers assess whether the data breach is likely to result in a risk to the affected individuals that triggers the notification obligation.
There are also a few key takeaways to help mitigate risks relating to a potential data breach. The controller should:
- conduct a detailed impact assessment;
- start an internal incident response process; and
- produce internal documentation.
Even though the EDPB does not expect a fully assessed notification after 72 hours – it may be provided in phases – the regulator requires controllers to have comprehensive plans and procedures in place for handling eventual data breaches.
On another note, the practical examples in the guidance, which can be divided in two categories (human error and external attack), show how potential risks can be mitigated by having preemptive measures in place when handling personal data.
- The chances of human error (lost devices or documents, postal errors, etc.) resulting in a data breach can be reduced by using the likes of encryption, backups and standard operating procedures.
- The risk of suffering a data breach following an external attack (ransomware, stolen data or hardware, etc.) can also be reduced by using encryption and doing regular backups, along with ‘forcing’ the use of complex passwords.
Having such ‘strong’ measures in place should go a long way to preventing an obligation to notify the relevant supervisory authority.
For a more in-depth analysis of cyber attacks and data breaches, read our take on the anatomy of a data breach, which looks at how to mitigate risks and react if a victim of an attack.
Notification obligations beyond the GDPR
Companies are increasingly required to keep abreast of, and report incidents involving (personal) data under, a multitude of constantly evolving regulations both at a national and European level. For example, the European Electronic Communication Code (EECC) requires relevant organisations to notify a ‘security incident’ and does not benefit from the GDPR’s one-stop-shop principle.
It is therefore necessary to assess whether there are obligations beyond the GDPR that are subject to (even shorter) notification periods. If so, a data incident may trigger more than one notification process.