Skip to the main content.

1 min read

The EDPB Finalises Their Data Breach Notification Guidelines

The EDPB Finalises Their Data Breach Notification Guidelines

The European Data Protection Board (EDPB) has issued its final Guidelines on Examples regarding Personal Data Breach Notification (Guidelines). The comprehensive document was crafted with input received from several data protection authorities across the European Union, and the results of public consultation of the initial version submitted the first quarter of 2021. 

 

The Guidelines expand on previous EDPB guidance, and their goal is to help organisations comply with the requirements of the General Data Protection Regulation, especially those outlined in article 33 (notification to supervisory authority) and article 34 (notification to data subjects). Under these provisions, controllers are asked to document data breaches (including their impact and how they were addressed), notify the incident to the relevant supervisory authority (unless the breach is unlikely to result in a risk), and notify data subjects affected by the incident (if the breach is likely to result in a high risk).  

 

The Guidelines present examples of potential data breaches, mitigating measures that can be implemented to decrease the impact and the chances of recurrence. It also provides insight on the necessary risk assessment that organisations must carry out to  determine whether a breach should be reported or not, based on whether the breach is likely to result in a “risk” or a “high risk” to the data subjects. The examples are broken down into six categories, including ransomware, data exfiltration attacks, internal human risk source, lost or stolen devices and paper documents, mispostal, and other cases (social engineering). 

 

Controllers are also called to implement data breach handling plans and procedures, as well as internal reporting lines and persons to ensure prompt response. Lastly, controllers and processors alike are expected to raise employee awareness through regular data protection training with a focus on data breach management.

 

9ine is here to help!

 

9ine’s incident management tool, available in our App, walks users through a series of questions that allow every aspect of the breach to be captured and recorded for compliance purposes. The incident management tool also aids decision-making so that appropriate mitigating measures are promptly displayed and executed, and regulators and data subjects notified (if needed). 

 

If you would like to know more about the incident management tool, employee training to raise data breach management awareness, or how to implement the EDPB Guidelines, get in touch with a 9ine expert.

[COVID-19] Guidelines: Remote Working & Data Sharing Protection

[COVID-19] Guidelines: Remote Working & Data Sharing Protection

In the current climate, it is important that schools do not use data protection regulations to discourage remote working or data sharing, but instead...

Read More
Cyber Compliance Requirements - Academies Financial Handbook 2019

Cyber Compliance Requirements - Academies Financial Handbook 2019

To comply with section 6.9 - 6.12 of the Academies Financial Handbook, Multi-Academy Trusts (MATs) must be aware of the risk of fraud, theft and...

Read More
Implementing a Zero Trust Architecture: A Practical Guide for Technical Directors

Implementing a Zero Trust Architecture: A Practical Guide for Technical Directors

A comprehensive guide for technology leaders in schools, on how zero trust architectures can benefit the school’s cyber security practices, and what...

Read More