In certain cases, the General Data Protection Regulation (GDPR) requires entities that experience a personal data breach to provide notice of the incident to relevant national supervisory authorities and the individuals whose personal data was compromised. The European Data Protection Board (EDPB) — a board of representative members from each of the European national supervisory authorities — previously endorsed the February 2018 guidelines on personal data breach notification. On Jan. 19, 2021, the EDPB published draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “draft Guidelines”) to complement the initial notification guidelines. The draft Guidelines provide 18 sample data breach scenarios and offer guidance as to how data controllers should respond to such incidents and analyze potential notification obligations.
The draft Guidelines begin by reiterating core notification principles from the 2018 guidelines. Article 4(12) of the GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Three types of personal data breaches trigger a notification obligation: (a) “confidentiality breaches,” which occur when there is an unauthorized or accidental disclosure of, or access to, personal data; (b) “integrity breaches,” which involve the unauthorized or accidental alteration of personal data; and (c) “availability breaches,” which involve the unauthorized or accidental loss of access to, or destruction of, personal data. Notice is required to be given to appropriate supervisory authorities within 72 hours after controllers become aware of a personal data breach, unless the breach is unlikely to create a risk to a data subject’s rights and freedoms. The draft Guidelines state controllers should make this risk assessment when they become aware of the breach and should not wait for a detailed forensic examination before assessing the breach’s impact. Continue Reading