On January 18, 2021, the European Data Protection Board (“EDPB”) published Draft Directive 01/2021 on Examples of Data Protection Violation Reporting (the “Guidelines”). The guidelines complement the original guidelines on reporting breaches of personal data under the EU General Data Protection Regulation (GDPR), which was adopted by the Article 29 Working Group in February 2018. The new draft directive takes into account the common experience of supervisory authorities with data protection violations since the GDPR came into force in May 2018. The EDPB aims to assist data controllers in making decisions about how to deal with data breaches, including identifying the factors to consider when conducting risk assessments to determine whether a breach needs to be reported to the relevant supervisory authority Authorities and / or the data subjects concerned.
The draft policy provides examples of common data breach scenarios, including (1) ransomware attacks in which malicious code encrypts personal information and the attacker then asks the controller for a ransom in exchange for the decryption key; (2) data extraction attacks that exploit vulnerabilities in online services offered by the controller and typically aim to copy, filter, and misuse personal data for malicious purposes; (3) human error leading to data breach, which EDPB says is fairly common and can be both intentional and unintentional; (4) lost or stolen equipment and paper documents; (5) “mispost” resulting from human error without malicious intent; and (6) social engineering such as identity theft and email exfiltration.
For each of the example cases described in the guidelines, the EPDB identifies the relevant reporting (ie supervisory authorities and / or affected persons) and remediation obligations.
In the guidance, the EDPB also recalls several key elements of data breach management and response that organizations should consider, including:
- proactive identification of system vulnerabilities to prevent data breaches;
- Assess whether a breach is likely to result in a risk to the rights and freedoms of the data subject. This assessment should be made at the time the organization becomes aware of the violation. Inspectors shouldn’t delay notification by waiting for a detailed forensic investigation and mitigation.
- Implementation of plans, procedures and guidelines (e.g. in the form of a manual) for dealing with data breaches with clear reporting lines and people who are responsible for the recovery process;
- Organizing training to raise awareness of data breach management. Training should be regular and tailored to the controller’s processing and business activities. Training should also be updated to reflect the latest trends and warnings. and
- Documentation of violations in any case, regardless of the risk they pose.
The guidelines can be consulted publicly until March 2, 2021. Feedback can be given here.