Following a consultation in January 2021, the European Data Protection Board (EDPB) has published its finalised guidelines on examples of personal data breaches and whether they are notifiable. These guidelines supplement previous guidance on personal data breach notification: the Opinion on Personal Data Breach Notification (Opinion 03/2014) and the general Guidelines on Personal Data Breach Notification under the GDPR (WP 250), both issued by the EDPB’s predecessor, the Article 29 Working Party.
The new guidelines offer welcome clarification on when notifications are required given that some data protection authorities and commentators have acknowledged over-reporting.
In this article we recap on the key takeaways from the finalised guidelines, focussing on key changes made since the January 2021 consultation, and exploring the challenges of managing data breach notifications in multiple jurisdictions.
What are the guidelines about?
The updated guidelines from the EDPB take a scenario-based approach, setting out:
- The common categories of data breaches such as ransomware, data exfiltration attacks, human error and social engineering.
- Appropriate mitigation steps and preventative measures for each scenario and notification obligations following the identification of a breach. The guidelines therefore recommend certain measures to prevent the most common forms of data breach (namely by implementing appropriate security measures, providing regular training, and reviewing and testing the measures put in place in light of technological advancements).
How to assess the risks of a data breach
As stated in the GDPR, data breaches likely to result in a risk to the rights and freedoms of individuals should be reported to the competent authority and those likely to result in a “high risk” should also be notified to the individuals affected. Examples in the guidelines suggest that a wide variety of factors can increase the level of risk a data breach poses to data subjects. While the risks to individuals were covered in previous guidance (for example, the risk of financial loss or identity theft), the new guidelines focus on the following additional risk factors:
- Where data is exfiltrated but not fully backed up, it is not recoverable and so unavailable.
- Where compromised personal data has not been secured using state-of-the-art encryption, it becomes readily available to attackers.
- Where back-ups are not effectively maintained, compromised data cannot be effectively recovered.
The small print – amendments since the consultation
Of additional interest are the amendments the EDPB has made following the public consultation. Whilst none of these changes are surprising, they signal issues of particular interest to the public and the EDPB’s position. These include:
- Confirmation that the guidelines are also relevant to processors. Even though the obligation to report data breaches to data protection authorities rests with controllers, the EDPB has added references to processors throughout the guidelines, emphasising that processors are also required to implement appropriate measures to prevent data breaches. It is therefore advisable that technology vendors consider the case studies provided in the guidelines and assess whether their existing security measures and data breach procedures align with the EDPB’s expectations.
- Non-reportable breaches should still be investigated. Even where a data breach is considered not to be notifiable, the EDPB expects businesses to thoroughly investigate the breach to identify the cause and consider future remediation. In the event of a significant data breach, previous, less significant breaches and failures that did not address the underlying causes can signal to the authorities that there may be a systematic failure.
- Back-ups should be taken periodically and isolated to increase the likelihood of data recovery in the case of ransomware.
- Public notifications to data subjects should be made carefully. Businesses should consider whether making the details of the breach public may lead to additional negative consequences for the data subjects.
- Controllers of highly personal data have a greater responsibility to provide adequate data security. Such data includes payment details, payrolls, bank statements or other information revealing the financial details of the data subjects.
- Emphasis on the adoption of multi-factor authentication, and the need to not only carry out risk analysis, but also test and update risk management procedures.
Challenges to managing data breaches globally
For multinationals that experience data breaches, the task of assessing whether to notify regulators or data subjects has become a lot more complex due to the evolution of data protection laws worldwide. For such organisations, assessing the duty to notify under the GDPR has become only one piece of a bigger puzzle, especially given that data protection rules increasingly have an extraterritorial effect. Therefore, if a data breach takes place in the United States or Europe but affects the personal data of residents or citizens of other countries, the laws governing those residents/citizens may need to be assessed for compliance purposes, too.
Since the GDPR came into force in 2018, similar data protection laws have been adopted by countries around the world. Those laws also have extraterritorial effect and require notification to data protection regulators and data subjects if specific thresholds are met. Often the country’s approach to extraterritoriality under such laws is similar to the GDPR in that local data protection rules apply if data subjects are offered goods or services, or their behaviour is monitored, in that country. In other instances, the laws apply simply because the data subjects are residents or citizens of that country or because the personal data originated there (for example, the equipment or other means located in that country). For further information about any data breach notification requirements that may apply to you, please contact us.