Following a public consultation on an initial version released last January, the European Data Protection Board (“EDPB”) last month adopted a final version of its Guidelines on Examples regarding Personal Data Breach Notification (“Guidelines”). The Guidelines provide (somewhat) helpful guidance for organizations subject to GDPR that encounter a security incident involving personal data.
This post summarizes key practical takeaways from that guidance, which takes the form of 18 fictitious (but in our experience, representative) breach scenarios and the EDPB’s analysis of how GDPR’s notification requirements apply to each.
Personal Data Breach Assessment and Notification under GDPR
As a refresher, in the event of a personal data breach, GDPR Article 33 requires controllers to notify the relevant supervisory authority (“SA”) without undue delay and, where feasible, not later than 72 hours after becoming aware of it. Controllers are not, however, required to notify the SA if the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons.”
GDPR Article 34, by contrast, requires controllers to notify the affected data subject of a personal data breach “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.” The bar for notification of individual data subjects is thus higher than the bar for notification of SAs.
The controller’s analysis of whether a personal data breach is likely to result in a “risk” or a “high risk” to the rights and freedoms of natural persons is referred to in the Guidelines as the “risk assessment.” As the Guidelines explain, the risk assessment requires the controller to evaluate, among other things, the nature, sensitivity, and volume of the personal data affected in the breach.
Breach-Related Organizational Measures Required by the Guidelines
The Guidelines first describe several organizational measures that all controllers and processors should implement to protect against the risk of a personal data breach. To that end, the Guidelines state that controllers and processors should:
- have procedures in place for handling data breaches;
- establish clear reporting lines and individuals responsible for aspects of the breach investigation and mitigation process;
- conduct regular staff training and awareness on data protection issues, with a focus on personal data breach management and identification of data breach incidents; and
- incorporate breach response planning into each facet of the organization’s data processing as part of the data protection by design principle.
Controllers are also required by GDPR Article 33 to document any personal data breaches, including the facts related to the breach, its effects, and the remedial actions taken. This documentation is required regardless of the outcome of the controller’s risk assessment.
Controllers should take care not to phone-in this documentation, since the SA can request a copy of the controller’s internal breach documentation and use it to verify the controller’s compliance with GDPR.
Key Takeaways from Examples of Personal Data Breaches
The fictitious breaches analyzed in the Guidelines fall into six categories: (1) ransomware attacks, (2) data exfiltration attacks, (3) internal human-related risk source, (4) lost or stolen device and/or paper document, (5) misdirected mailing, and (6) social engineering.
For each sample breach, the Guidelines step through how to determine whether SA and data subject notification is required by: (a) identifying the security measures in place before the breach, (b) conducting the risk assessment, and (c) evaluating the effectiveness of any mitigation steps and preventive measures put in place by the controller.
Here are some of our key practical takeaways from the Guidelines:
- You probably can’t buy time on the 72-hour SA notification clock while you investigate and conduct the risk assessment.
The EDPB will likely not let you get cute with when you “became aware” of the personal data breach. The Guidelines state that the “notification does not need to be postponed until the risk and impact surrounding the breach has been fully assessed, since the full risk assessment can happen in parallel to notification, and the information thus gained may be provided to the SA in phases without undue further delay.”
The Guidelines emphasize that “the controller should not wait for a detailed forensic examination and (early) mitigation steps before assessing whether or not the data breach is likely to result in a risk and thus should be notified.” It would thus be prudent for controllers to notify the SA as soon as it decides that the personal data breach is likely to result in a risk to the rights and freedoms of the data subject. That decision should be made—if possible—within 72 hours of discovering the personal data breach, and should not be delayed for further legal analysis or investigation.
- What constitutes “Risk” vs. “High Risk” to data subjects remains somewhat elusive.
Although the Guidelines provide several examples of personal data breaches that result in a “high risk” to the rights and freedoms of data subjects (and thus require both SA and data subject notification), the Guidelines do not set out clear criteria for what should be considered “risk” versus “high risk.” The Guidelines purport to provide guidance on the concept of “likely to result in high risk” by cross-referencing the Article 29 Working Party’s Guidelines on Data Protection Impact Assessment (DPIA) (since the trigger for conducting a DPIA is high-risk processing activities). But that guidance document is not particularly helpful in the breach context given that it analyzes high-risk processing activities by a controller (e.g., automated decision-making, systematic monitoring) and not the level of risk to individuals because of a breach of particular personal data.
The Guidelines also suggest that the compromise of special categories of personal data is not necessarily a proxy for “high risk,” because one of the breach examples concludes that notification to data subjects is required even though no special categories of data were compromised. The EDPB does, however seem to consider a key inquiry to be whether the breach causes a risk of identity theft: all of the example breaches that the EDPB concludes require data subject notification also mention the existence of that risk.
- When responding to a ransomware attack, robust data backup measures can save you from SA notification.
We have already touted the benefits of data and system resilience in this post, but if you needed one more reason to focus on regular and robust backup processes in 2022, here it is: The Guidelines make clear that having effective data backup measures that allow for a speedy continuation of business operations following a ransomware attack can make the difference between notifying the SA and not notifying.
To that end, under the sample ransomware breach where data was backed up electronically and restored within a few hours with no consequences to the day-to-day operations of the controller, the Guidelines conclude that SA notification was not required.
In a separate sample ransomware breach where data had to be restored from paper backups, resulting in a five-day restoration period, loss of metadata, and “minor delays in the delivery of orders to customers,” by contrast, the Guidelines conclude that SA notice was required.
- Comprehensive logging measures will enhance your ability to effectively argue that notification is not required.
The breach reporting outcomes in the Guidelines also suggest that organizations that have implemented robust logging measures will be better equipped to determine that a personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. In all of the sample breaches where personal data was potentially exfiltrated from the controller’s electronic systems, the EDPB relied heavily on an analysis of the system logs to determine the impact to the confidentiality of the personal data and whether the personal data was actually accessed by the bad actor.
- When evaluating the risk to data subjects arising out of a personal data breach, think outside the (U.S. data breach notification law) box.
Finally, the Guidelines serve as a much-needed reminder that European regulators’ perception of the risk to data subjects arising from a personal data breach will likely be different than U.S. regulators’. We U.S.-based privacy practitioners are accustomed to evaluating harm thresholds that are baked into U.S. data breach notification laws. Those harm thresholds often require an evaluation of whether the breach causes the individual “substantial harm,” “substantial economic loss,” or similar.
By contrast, throughout its evaluation of the risks to data subjects, the EDPB raises several other “soft” harms that would not typically factor in to a U.S. risk-of-harm analysis. The Guidelines, for example, consider risks such as damage to reputation, unauthorized reversal of pseudonymization, and the risk of being targeted with phishing emails, fraudulent text messages, and unsolicited marketing. As such, in the event a GDPR-covered company experiences a personal data breach, it will be important for U.S. practitioners to evaluate the risks to the rights and freedoms of data subjects through the lens of European—not U.S.—data protection values.
* * * *
Organizations covered by GDPR should consider these Guidelines as a roadmap for implementing breach prevention measures and making post-breach notification decisions.