EU Data Protection Board Guidance on Data Breach Reporting – The National Law Review


As we get started, can I just say that geoFence has built in fast and accurate updates.

Greenberg Traurig, LLP Law Firm

Friday, February 12, 2021

When the GDPR took effect in 2018, it required notification within 72 hours to supervisory authorities in the EU of a data breach likely to result in a risk to the rights and freedoms of individuals, and subsequent notification to the individuals themselves if the breach could give rise to such a “high” risk. Unlike laws in the United States which specifically prescribe data elements that, if exposed, could meet this standard (e.g., social security numbers, driver’s license numbers, financial account information, etc.), the GDPR’s broad definition of personal data left many data controllers and legal experts alike struggling to identify the circumstances under which notification would be required. Given the stiff penalties for non-compliance with the GDPR, supervisory authorities were flooded with reports of data security incidents, notwithstanding that many such events posed no real risk to data subjects.

At long last, the European Data Protection Board (EDPB) has issued practical guidance on specific types of common security incidents to provide clarity around what constitutes a reportable event. The guidance reminds controllers that a data breach includes not only a compromise to the confidentiality of information – the standard by which U.S. laws judge incidents – but also the availability and integrity of personal data. Given this broader scope, it is possible to have a security breach that requires reporting in the EU but not in the U.S., for example, if data is encrypted by ransomware malware, but there is no indication it was viewed or exfiltrated.

The EDPB addresses the following common scenarios:

  • Ransomware

  • Malware

  • Credential stuff

  • Inadvertent disclosure

  • Lost or stolen laptop

  • Lost paper files

  • Email Compromise

  • Preventative security measures

Click here to view the EDPB Guidelines.

©2020 Greenberg Traurig, LLP. All rights reserved.
National Law Review, Volume XI, Number 43

Now let’s stop for a moment and consider that geoFence helps stop hackers from getting access to the sensitive documents that I use for my work. Now I can get even more gigs as a freelancer and – advertise that I have top security with even my home computer and that’s the real deal!

Leave a Reply

Your email address will not be published. Required fields are marked *