Many supervisory authorities across Europe have reported increasing numbers of data breach notifications since the introduction of GDPR. While most companies are now familiar with the 72-hour reporting obligation for controllers to supervisory authorities, whether such obligation has been triggered continues to present unique and complex questions in each specific security event. To help aid companies sorting through these potential legal notification obligations in the aftermath of a security event, the EDPB recently released draft guidance, which is open for comment until 2 March 2021.

The guidelines are intended to supplement the October 2017 general guidance provided by the Article 29 Working Party, the predecessor to the EDPB. The guidelines walk through 18 examples covering the most common security event scenarios, including ransomware attacks, data exfiltration attacks, human errors lost or stolen devices and paper documents, “mispostal,” and social engineering, such as identity theft and email exfiltration. For each example scenario, the EDPB identifies whether notification would be required to the relevant supervisory authority or data subjects, as well as mitigation measures.

The guidelines also note several recommendations for data breach management such as implementing plans, procedures and guidelines, regular employee training, and documenting breaches in each and every case, irrespective of the risk they pose.

Putting it Into Practice: Notification obligations are very fact specific and will depend on the circumstances of each unique event. Organizations are reminded of the importance of data breach preparedness efforts. This includes activities such as preparing incident response plans and playbooks, training of those plans, simulating an event through a tabletop scenario, and reviewing cyber insurance policies. The EDPB guidelines are open for public comment until March 2, 2021. Feedback may be submitted here.