The European Data Protection Board (EDPB) published on 14 January 2021 its  ‘Guidelines on Examples regarding Data Breach Notification’. This supplements earlier Article 29 Working Party guidelines in this area, providing more focused and practical guidance for organisations on managing personal data breaches.

The guidance draws on the combined experience of EU Supervisory Authorities to provide 18 fictitious case studies examining when the thresholds for notification to Supervisory Authorities and individuals are met (Articles 33 and 34 of the General Data Protection Regulation) and associated  measures to prevent and mitigate such breaches. The case studies are divided into the six most common scenarios for breach notification identified by Supervisory Authorities:

  • Ransomware attacks, where malicious code encrypts personal data and a ransom is required to decrypt the personal data.
  • Data exfiltration attacks, where attackers exploit existing vulnerabilities in services offered over the internet to extract and abuse data for malicious purposes.
  • Internal human risk source, where human error (intentional and non-intentional) is the cause of the breach.
  • Lost or stolen devices and paper documents, commonly resulting in a loss of confidentiality, but that may also cause loss of availability and integrity.
  • Mispostal, where personal data is unintentionally sent to the wrong recipient by email or post.
  • Social engineering, where individuals are manipulated into providing personal data to an unauthorised third party.

Next Steps

The guidance remains open for public consultation until March 2021 and may subsequently be amended. However, there are a number of proactive steps that privacy and cybersecurity teams can take to gauge alignment between their existing personal data breach management procedures and the EDPB’s guidance.

Notification:

  • Review internal guidance and methodologies for evaluating regulatory and individual notification against the case studies
  • Analyse related training materials and breach simulation exercises to ensure they incorporate factors highlighted in the EDPB guidance

Prevention and Remediation:

  • Evaluate whether existing incident reporting procedures and awareness materials do in fact require reporting of the case study examples highlighted by the EDPB
  • Ensure existing incident management framework mandates recording of all personal data breaches regardless of the risk they present, to support early identification and remediation of recurring events
  • Undertake regular updating of firmware and application software to prevent legacy vulnerabilities from being exploited
  • Maintain up-to-date and regularly test back-up procedures to support operational resilience to mitigate against loss of availability and integrity of personal data
  • Conduct periodic vulnerability testing, enabling the identification and subsequent remediation of weakness in network security