EDPB Issues Draft Guidelines for Data Breach Notifications
The guidelines are supposed to help data controllers when it comes to deciding how to handle data breaches and what factors to consider during risk assessment.
The European Data Protection Board this week published draft guidelines around examples of data breach notification scenarios.
In the European Union, those that have to comply with the General Data Protection Regulation – as outlined in Articles 33 and 34 - have to report the correct national supervisory authority and inform any individuals who have may had their personal data compromised following a breach. The latest round of guidelines include input from supervisory authorities’ experience with data breaches since GDPR went into effect in 2018.
The 32-page document (.PDF) is designed to help data controllers when it comes to deciding how to handle data breaches and what factors to consider during risk assessment.
As they're draft guidelines, they're not concrete, but a fine starting point for businesses if they haven’t reviewed their data breach notification protocols lately. Those interested can submit feedback on the draft guidelines until March 2.
In the guidelines, the EDPB drilled down on seven examples of incidents that would necessitate reporting to a relevant supervisory authority, along with mitigations and obligations that would apply to an organization if it experienced such an attack.
1. Ransomware, or any attack in which malicious code encrypts personal data and the attacker asks the controller for ransom in exchange for decryption.
2. Data exfiltration attack, or an attack that aims at copying, exfiltrating and abusing personal data for some a malicious purpose. These attacks typically come as a result of a website compromise or vulnerable service.
3. Internal human risk, or any breach that may be connected to human error, examples of this type of data breach include insider theft scenarios like data theft by a former employee and accidentally transferring data to a third party,
4. Lost or stolen devices or paper documents – in these incidents, controllers need to account for whether or not the data was in a digital or physical form and whether or not it was sensitive.
5. Mispostal, another form of human error, one that's largely out of a data controller's hands after its occurred. Consider a municipal department mistakenly sending sensitive personal data by mail by mistake
6. Social engineering, this includes forms of identity theft and email exfiltration
The document considers every avenue of an attack and what type of actions a data controller should take based on the identified risks. For ransomware, for example, it provides examples for scenarios in which a business experiences an attack with proper backup but without data exfiltration, without proper backup, with backup but without data exfiltration in a hospital, and without backup and with data exfiltration.
When it comes to timing, the EDPB reiterates that organizations shouldn't wait to report a breach, even if it is awaiting a detailed forensic assessment of what's transpired.
"The breach should be notified when the controller is of the opinion that it is likely to result in a risk to the rights and freedoms of the data subject. Controllers should make this assessment at the time they become aware of the breach," the guidance reads.
In the guidance, the EDPB published measures organizations can take to prevent and mitigate data breaches. Some of those steps include:
- Having plans, procedures in place for handling eventual data breaches, along with clear reporting lines and persons responsible for certain aspects of the recovery process.
- Overseeing training and awareness on data protection issues that's regularly repeated depending on the processing activity and the size of the controller
- Documenting the breach, no matter how serious, in accordance with Article 33 (5), GDPR.