Reporting Data Breaches

In mid-December, the European Data Protection Board (EDSA) adopted the Guidelines 01/ 2021 on examples of data breach notification (the “Guidelines“) to serve as a support for how data controllers and processors must handle data protection breaches. 18 examples were inserrted for different types of attacks. The guidelines are a practical complement to the Article 29 Working Party’s (WP 29) Guidelines on Personal Data Breach Notification under Regulation (EU) 2016/679.

Definition of data breach according to GDPR?

A data breach is a breach of security that results in the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidentally or unlawfully. Data breaches can be:

• Confidentiality Breach: unauthorized or unintentional disclosure of or access to personal data,
• Integrity Breach: unauthorized or unintentional alteration of personal data; and
• Availability Breach: unauthorized or accidental loss of access to personal data or the accidental or unlawful destruction of personal data.

Conduct in case of data breach

In such case the controller must notify the competent supervisory authority without undue delay and, if possible, within 72 hours of becoming aware of the breach. In case the breach is unlikely to result in a risk to the rights and freedoms of natural persons a notification is not required; however, an assessment shall be conducted. Based on these obligations, EDSA prepared the Guidelines.

Case studies

The examples are divided into 5 main types (ransomware, data exfiltration, internal human source of risk, lost or stolen devices or paper documents, incorrect mailing) and each including the initial actions that need to be taken, a detailed risk analysis, risk mitigation measures and obligations of the responsible party.

Ransomware attacks

For ransomware attacks it is relevant if a back-up exists or whether data exfiltration occurred, the volume of affected data and if special categories of data were affected. The result of the assessment for similar ransomware attacks may vary in individual cases, depending on the above mentioned aspects.

Data exfiltration attacks

This involves unauthorized transfers of/ access to data. Relevant for the risk analysis is the extent to which the attackers had access to the relevant data. Naturally, such an attack will be handled differently against special data controllers (e.g. banks) compared to data controllers who do not hold such confidential data.

Lost or stolen equipment and paper documents

The type of personal data involved, the applied security measures etc. must be assessed. Depending on whether the data is, for example, encrypted or whether special categories of personal data are involved specific measures have to be taken.

Conclusions

The Guidelines are an important tool in the event of a data breach. Each breach shall be considered on a case-by-case basis and the specific situation shall be reflected in the data protection impact assessment.

Please find more detailed information under: https://stalfort.ro/wp-content/uploads/2022/04/20220427_CL_When_and_how_are_data_breaches_to_be_reported.pdf