The European Data Protection Board (EDPB) has issued its final Guidelines on Examples regarding Personal Data Breach Notification (Guidelines). The comprehensive document was crafted with input received from several data protection authorities across the European Union, and the results of public consultation of the initial version submitted the first quarter of 2021.
The Guidelines expand on previous EDPB guidance, and their goal is to help organisations comply with the requirements of the General Data Protection Regulation, especially those outlined in article 33 (notification to supervisory authority) and article 34 (notification to data subjects). Under these provisions, controllers are asked to document data breaches (including their impact and how they were addressed), notify the incident to the relevant supervisory authority (unless the breach is unlikely to result in a risk), and notify data subjects affected by the incident (if the breach is likely to result in a high risk).
The Guidelines present examples of potential data breaches, mitigating measures that can be implemented to decrease the impact and the chances of recurrence. It also provides insight on the necessary risk assessment that organisations must carry out to determine whether a breach should be reported or not, based on whether the breach is likely to result in a “risk” or a “high risk” to the data subjects. The examples are broken down into six categories, including ransomware, data exfiltration attacks, internal human risk source, lost or stolen devices and paper documents, mispostal, and other cases (social engineering).
Controllers are also called to implement data breach handling plans and procedures, as well as internal reporting lines and persons to ensure prompt response. Lastly, controllers and processors alike are expected to raise employee awareness through regular data protection training with a focus on data breach management.
9ine is here to help!
9ine’s incident management tool, available in our App, walks users through a series of questions that allow every aspect of the breach to be captured and recorded for compliance purposes. The incident management tool also aids decision-making so that appropriate mitigating measures are promptly displayed and executed, and regulators and data subjects notified (if needed).
If you would like to know more about the incident management tool, employee training to raise data breach management awareness, or how to implement the EDPB Guidelines, get in touch with a 9ine expert.