On 14 January 2021 the European Data Protection Board (EDPB) published the Guidelines on Examples Regarding Data Breach Notification. These guidelines will help data controllers to decide how to handle personal data breaches and what factors to consider during risk assessments.

Background

Personal data breaches may result in physical, material or non-material damage to individuals – for example:

  • loss of control over their personal data or limitation of their rights;
  • discrimination;
  • identity theft or fraud;
  • financial loss;
  • unauthorised reversal of pseudonymisation;
  • damage to reputation;
  • loss of confidentiality of personal data protected by professional secrecy; and
  • any other significant economic or social disadvantage.

To protect individuals, the EU General Data Protection Regulation (GDPR) imposes several obligations on data controllers – namely, they must:

  • document personal data breaches, including:
    • the facts relating to the breach;
    • the effects of the breach; and
    • the remedial action taken;
  • notify the supervisory authority of personal data breaches, unless such breaches are unlikely to result in a risk to the rights and freedoms of individuals; and
  • communicate personal data breaches to data subjects where such breaches are likely to pose a high risk to the rights and freedoms of individuals.

To comply with these obligations, data controllers must carry out a risk assessment and decide how to handle each data breach. The EDPB guidelines constitute practice-oriented, case-based guidance that is based on the experience gained by data protection authorities in recent years.

To facilitate the decision-making process, the EDPB has identified certain cases that have occurred frequently in the past. The guidelines contain the following data breach cause classifications:

  • ransomware;
  • data exfiltration attacks;
  • internal human risk sources;
  • lost or stolen devices and paper documents; and
  • mispostal.

The EDPB presents information about the following for each cause:

  • case studies;
  • prior measures;
  • risk assessments;
  • mitigation measures; and
  • obligations.

Based on the identified cases, the guidelines not only provide guidance on the handling of data breaches and the implementation of mitigation measures, they also present technical and organisational measures that can help to prevent such breaches.

Why are the guidelines important for controllers?

Binding or non-binding?

The EDPB guidelines are not binding; the EDPB ensures the consistent application of the GDPR. However, the EDPB is composed of the head of one supervisory authority of each EU member state and the European data protection supervisor or their respective representatives. Therefore, the guidelines are based on the actions of national data protection authorities.

Consequences for non-compliance

Data protection authorities may impose fines of up to €20 million or 4% of a company's annual turnover under Articles 83 and 84 of the GDPR. Data subjects may claim compensation under Article 82 of the GDPR. From an EU perspective, it is unclear whether competitors may send cease-and-desist letters. Companies may also face indirect costs (eg, reputational damage or management costs).

Enforcement

The GDPR is highly enforced.

Examples of companies experiencing non-compliance issues

Recently, the Dutch data protection authority imposed a fine of €450,000 on Booking.com.(1) The Irish data protection authority also recently imposed a fine of the same amount on Twitter.(2)

What actions should controllers take?

At a minimum, all controllers should:

  • identify areas of risk and take appropriate security measures – as explained above, controllers should take technical and organisational measures to prevent data breaches from occurring in the first place;
  • set up data breach plans and procedures – since data breaches must be reported within strict time limits, controllers should set up appropriate plans and procedures for handling them. In particular, responsibilities and communication channels within the company should be clearly specified in these procedures; and
  • carry out training – all employees that are authorised to process personal data should be trained on how to deal with data breaches. All such employees should be able to recognise a data breach and understand what actions need to be taken.

Endnotes

(1) For further information please see the Dutch data protection authority website.

(2) For further information please see the EDPB website.