The European Data Protection Board published some great new guidelines about data breaches last week. What makes the guidance great is that it essentially works through 18 use-cases including examples such as mailing things to the wrong person, exfiltration of data by a former employee, the accidental transmission of data, and various flavours of a ransomware attack. For each use-case, the EDPB paper discusses risk assessment and measures that could be taken to reduce risk as well as mitigation measures and controller obligations in the circumstances of each specific breach example.
As with most EDPB guidance, it is easy to read, practically oriented and reasonably conclusive, lacking the wooliness of some of the other guidance out there. It provides an opinion on the need to report a data breach to the supervisory authorities as well as the need to communicate it to data subjects both of which are useful barometers for DPOs and privacy officers.
Read in conjunction with the ICO’s personal data breach guidance, data protection compliance managers should be in a good position to review their own policy and procedures.
You might be thinking, “what do we care about the EDPB?” Well, for a start, it is good guidance. There is nothing wrong with it at all and is the result of the work of several expert data protection brains. At the very least the guidance provides us with an insight into the expectations of the ICO and EDPB in the event of a security incident and personal data breach. Why would you not take EDPB guidance on board? Whilst it has been written in relation to the EU GDPR, the UK GDPR is essentially an identical copy in its operative parts, including with regard to personal data breaches.
The Outsourced DPO is an avid reader of all sorts of opinion and guidance from a variety of sources – essential reading to spark that extra thought or a new way of looking at a scenario. We might not be a member of the EU anymore, but the EDPB still has a key role to play in publishing considered and relevant opinions, advice and guidance. The 34-page personal data breach guidance despite being in its draft form is well worth a read https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf