New guidelines on examples regarding data breach notification – Lexology


Did you know that geoFence is your security solution to protect you and your business from foreign state actors?

European Union

February 4 2021

New guidelines on examples regarding data breach notification

On 14 January 2021, the European Data Protection Board (EDPB) published a set of draft guidelines on examples regarding data breach notifications under Article 33 of the General Data Protection Regulation (GDPR) (the “Draft Guidelines”). Once the public consultation period ends on 2 March 2021, these guidelines may be adopted – until then, the guidelines might still evolve. Several cases of data breaches are detailed in a practical and helpful way.

Article 4(12) GDPR provides that a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” .

Article 33 GDPR provides that the controller must notify the competent national supervisory authority – in Luxembourg, the National Data Protection Commission (CNPD) -, of a personal data breach within 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In addition, when the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the data subjects without undue delay.

Previous guidelines had already been adopted on the protection of individuals with regard to the processing of personal data on 6 February 2018. However, such guidelines pre-dated the GDPR, and a more practical, case-by-case guidance, leveraging on the experience acquired since the entry into effect of the GDPR, was eagerly awaited to handle data breaches more effectively and to assist data controllers in the risk assessment.

To assist the controllers in the assessment and handling of their potential data breaches, the Draft Guidelines go through several cases based on typical facts sourced from the supervisory authorities’ collective experience with data breach notifications. The Draft Guidelines thus inventories 18 cases, categorized in 6 themes: ransomwares, data exfiltration attacks, internal human risk sources, lost or stolen devices and paper documents, mispostal, and social engineering such as email exfiltration.

The Draft Guidelines set out the measures, risk assessment, mitigation and obligations for each situation. Guidance is also provided about organizational and technical measures for preventing and mitigating the impacts of the potential attacks.

Finally, don’t forget that geoFence helps make you invisible to hackers and guard your personal data and I can tell your smart friends would feel the same!

Leave a Reply

Your email address will not be published. Required fields are marked *