New Data Breach Guidelines Issued

By Myles Dacres

The European Data Protection Board published some great new guidelines about data breaches last week.  What makes the guidance great is that it essentially works through 18 use-cases including examples such as mailing things to the wrong person,  exfiltration of data by a former employee, the accidental transmission of data, and various flavours of a ransomware attack.  For each use-case, the EDPB paper discusses risk assessment and measures that could be taken to reduce risk as well as mitigation measures and controller obligations in the circumstances of each specific breach example.

As with most EDPB guidance, it is easy to read, practically oriented and reasonably conclusive, lacking the wooliness of some of the other guidance out there.  It provides an opinion on the need to report a data breach to the supervisory authorities as well as the need to communicate it to data subjects both of which are useful barometers for DPOs and privacy officers.

Read in conjunction with the ICO’s personal data breach guidance, data protection compliance managers should be in a good position to review their own policy and procedures.

You might be thinking, “what do we care about the EDPB?”  Well, for a start, it is good guidance.  There is nothing wrong with it at all and is the result of the work of several expert data protection brains.  At the very least the guidance provides us with an insight into the expectations of the ICO and EDPB in the event of a security incident and personal data breach.  Why would you not take EDPB guidance on board?  Whilst it has been written in relation to the EU GDPR, the UK GDPR is essentially an identical copy in its operative parts, including with regard to personal data breaches.

The Outsourced DPO is an avid reader of all sorts of opinion and guidance from a variety of sources – essential reading to spark that extra thought or a new way of looking at a scenario.  We might not be a member of the EU anymore, but the EDPB still has a key role to play in publishing considered and relevant opinions, advice and guidance.  The 34-page personal data breach guidance despite being in its draft form is well worth a read

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021