New data breach notification guidelines, published by the EDPB frame what curative measures should be taken based on specific examples. 

In a recent article, we reported on two doctors in France, who were fined by the CNIL over a data breach, and were also found to have breached article 33 of the GDPR, by neglecting to inform the supervisory authority of the data breaches. The rules on data breaches have been introdued by the GDPR, specifying that data breaches are to be reported to the competent national supervisory authority, and in some cases the individuals whose personal data has been affected by the data breach. While data breach notifications had been conceptualized by Article 29 Working Party in, October o2017, its opinion did not adequately address all practical issues. 

 The EDPB has found it necessary to release a document to accompany the existing data breach notification guidelines .This document contains several fictional situations as examples, with the intention of explicating how real situations of that nature are best handled, and to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessments. The examples, though fabricated, reflect a common thread of experiences shared by the various supervisory authorities within the EEA since the inception of the GDPR. 

There are various types of data breaches, each of which are identified and handled differently. 

Article 4(12) of the GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The EDPB document outlines three types of breaches, as drafted in previous guidelines, Working Party 250, a “confidentiality breach”, where there is an unauthorised or accidental disclosure of, or access to personal data, an “integrity breach”, which is where there is an unauthorised or accidental alteration of personal data, and an “availability breach” which describes an accidental or unauthorised loss of access to, or destruction of, personal data. 

Personal data breaches can indicate system weaknesses that need attention, and in some cases, these breaches could be avoided altogether through prior preparation. 

Personal data breaches can present serious problems, but are also an indication of system weaknesses that need to be addressed. It is highly recommended that data controllers focus on prior preparation, in order to avoid personal data breaches altogether, or minimize and mitigate associated risks. Due to the nature of several types of data breaches, their consequences are irreversible. In addition, the root cause of a data breach must be identified in order to fully assess the risks associated with a breach from some form of attack. This will allow the controller to determine whether any vulnerabilities that brought the incident about  are still present, and are therefore still exploitable, and needing to be addressed.

Every controller should have plans and best practices established in the event of a possible data breach. This should include clear lines of reporting and responsible personnel assigned throughout the recovery process. Controllers should ensure that if a personal data breach were to occur, that staff is well informed on how this should be handled.The EDPB suggests trainings, which are regularly repeated and updated to address the latest trends and alerts from cyber attacks and other security incidents. Trainings should give staff the awareness to identify a data breach and recognize the action steps to be taken as a result. Controllers’ best practices should be prepared in advance and be able to advise relevant personnel on the protocols for each facet of processing at each major stage of the operation. This should allow data breaches to be handled a lot quicker than if there were no plans in place. 

Controllers should notify competent supervisory authorities of data breaches without delay, upon determining that it is likely to present a risk to the rights and freedoms of data subjects. 

A breach should result in a notification as soon as the controller realizes that it will likely result in a risk to the rights and freedoms of data subjects. It is not necessary to wait until the investigation is complete and all the facts of the breach have been determined, including the true extent of the risk, as the supervisory authority can be notified in conjunction with the ongoing investigation and updated accordingly. If a controller deems a risk unlikely, and the risk does materialize, the supervisory authority can exercise its right to enforce corrective measures including sanctions. 

The new guidelines concerning data breach notifications were illustrated in the EDPB’s recent document using detailed examples, highlighting variations of data breaches. 

The examples covered in this new EDPB document cover various types of personal data breaches including ransomware, data exfiltration attacks, internal human risk source, lost or stolen devices or paperwork, mispostals and social engineering. Because it is so important to be able to identify data breaches and provide directives on how they should be handled within institutions, the EDPB has provided within those guidelines, several very specific examples related to each of the aforementioned types of data breaches, as well as recommendations on how they should each be handled. In addition, the EDPB provides technical and organizational procedures which can be used to prevent those personal data breaches, or to mitigate their impact.

While each of the examples contained in the EDPB’s guidelines provide assistance for data controllers in assessing their own data breaches, it is also important to note that any changes in the circumstances of the cases described therein may result in different or more significant levels of risk, requiring different or additional measures, which can only fully be determined by an adequate risk assessment. For example, the document provided two different examples of snail mail being sent to the wrong address, however in one case, the example concerned two customers’ orders being switched in error, and the mail being called back, and then sent to the correct customers. While this does classify as a data breach, it is reasonably low-risk. This example does not call for reporting to the competent supervisory authority, however notification to the data subjects is imminent in this case, as the suggested mitigating measures include appealing to each customer to destroy or delete all eventual copies of the bills containing the other person’s personal data.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.