Companies Have Until March to Comment on EDPB Data Breach Notification Guidelines

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

Many supervisory authorities across Europe have reported increasing numbers of data breach notifications since the introduction of GDPR. While most companies are now familiar with the 72-hour reporting obligation for controllers to supervisory authorities, whether such obligation has been triggered continues to present unique and complex questions in each specific security event. To help aid companies sorting through these potential legal notification obligations in the aftermath of a security event, the EDPB recently released draft guidance, which is open for comment until 2 March 2021.

The guidelines are intended to supplement the October 2017 general guidance provided by the Article 29 Working Party, the predecessor to the EDPB. The guidelines walk through 18 examples covering the most common security event scenarios, including ransomware attacks, data exfiltration attacks, human errors lost or stolen devices and paper documents, “mispostal,” and social engineering, such as identity theft and email exfiltration. For each example scenario, the EDPB identifies whether notification would be required to the relevant supervisory authority or data subjects, as well as mitigation measures.

The guidelines also note several recommendations for data breach management such as implementing plans, procedures and guidelines, regular employee training, and documenting breaches in each and every case, irrespective of the risk they pose.

Putting it Into Practice: Notification obligations are very fact specific and will depend on the circumstances of each unique event. Organizations are reminded of the importance of data breach preparedness efforts. This includes activities such as preparing incident response plans and playbooks, training of those plans, simulating an event through a tabletop scenario, and reviewing cyber insurance policies. The EDPB guidelines are open for public comment until March 2, 2021. Feedback may be submitted here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.