The European data protection board publishes new guidelines on data breach notification

2021-02-04T17:34:00

On January 14, 2021, the European Data Protection Board (the “Board”) published new Guidelines on Examples regarding Data Breach Notification (the “Guidelines”) to supplement those adopted by article 29 Working Party in February 2018. The text is under public consultation until March 21, 2021, so it is not the final version.

The European data protection board publishes new guidelines on data breach notification
February 4, 2021

On January 14, 2021, the European Data Protection Board (the “Board”) published new Guidelines on Examples regarding Data Breach Notification (the “Guidelines”) to supplement those adopted by article 29 Working Party in February 2018. The text is under public consultation until March 21, 2021, so it is not the final version.

The Guidelines aim to address the most relevant questions data controllers must consider when dealing with security breaches. They reflect the experiences of Member States’ data protection control authorities since the General Data Protection Regulation came into effect.

First, the Guidelines include some general ideas on security breaches. They state the need to first be able to recognize security breaches to comply with the other obligations: document them, notify the appropriate supervisory authority when required by the regulations and after weighing up the rights involved, or inform the data subjects concerned when their essential rights and freedoms could be affected.

The Guidelines are structured in five groups of cases constituting security breaches, namely: (i) ransomware attacks; (ii) data leaks; (iii) human errors, whether intentional or not; (iv) lost or stolen devices and documentation; (iv) mispostal arising from human error; and (v) other cases, such as social engineering.

In turn, each of those groups includes several specific examples of security breaches and indications are given for each case on how data controllers should manage the situation. In particular, they introduce preventive measures and offer a risk assessment according to the circumstances of each case. The Guidelines then describe mechanisms to mitigate the possible consequences of the security breach and the obligations that the data controller must meet after the security breach.

We will follow the development of the public consultation in this blog and keep you informed of the content of the final version.

Authors: Alejandro Negro and Paula Conde


February 4, 2021