The European Data Protection Board (EDPB) has called for comment on Guidelines 01/2021 on examples regarding data breach notification (the guidelines). The deadline for comment is 2 March 2021.
As noted in the guidelines, the General Data Protection Regulation (GDPR) introduces the requirement for a personal data breach to be notified to the competent data protection authority (DPA) and, in certain cases, to communicate the breach to the individuals whose personal data has been affected by the breach. The aim of the guidelines is to help data controllers in deciding how to handle data breaches and what factors to consider during the risk assessment.
The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Breaches can be categorised according to the following three information security principles: (i) a confidentiality breach, where there is an unauthorised or accidental disclosure of, or access to, personal data; (ii) an integrity breach, where there is an unauthorised or accidental alteration of personal data; and/or (iii) an availability breach, where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
As noted in the guidelines: “A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymization, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals. One of the most important obligations of the data controller is to evaluate these risks to the rights and freedoms of data subjects and to implement appropriate technical and organizational measures to address them.”
Accordingly, the GDPR requires data controllers to:
- Document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken;
- Notify the personal data breach to the DPA, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons; and
- Communicate the personal data breach to the data subject when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
The guidelines emphasise the need for data controllers to have plans and procedures in place for handling data breaches. Organisations should have clear reporting lines and persons responsible for certain aspects of the recovery process. Furthermore, the guidelines note that training and awareness for staff is an essential step for data controllers, which should be regularly repeated to address the latest trends and alerts coming from cyber-attacks or other security incidents.
The guidelines are accessible here.
Comments on the guidelines can be submitted here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].