On 14 January 2021, the European Data Protection Board (EDPB) adopted draft guidelines on examples regarding data breach notification (Guidelines 01/2021). The aim of this document is, through the presentation of typical personal data breach cases, to help data controllers in determining how to handle data breaches.
The EDPB’s clarifications are useful since articles 33 and 34 of the GDPR oblige data controllers to notify a personal data breach to the supervisory authority (SA) if it is likely to result in a risk to the rights and freedoms of the data subject, and, in certain cases, to communicate it to the affected data subjects as well.
The guidelines are intended to complement the Article 29 Working Party’s earlier guidance on data breach notification (“Guidelines on Personal data breach notification under Regulation 2016/679, WP 250”) and to provide practice-oriented, case-based guidance. In its guidelines, the EDPB analyses recurring and well-known situations such as ransomware attacks, breaches as a result of human errors, and the loss or theft of devices and paper documents.
• Ransomware attacks
Many organisations are or will someday be confronted with a ransomware attack, which is a frequent cause for data breach notification. The EDPB therefore describes several cases of ransomware attacks in various circumstances, such as ransomware with and without proper backup and with and without data exfiltration. For each case, the guidelines discuss the prior measures, risk assessment, mitigation and obligations of data controllers.
Since the majority of these breaches can be prevented by ensuring that appropriate organizational, physical and technological security measures are in place, the EDPB also lists various advisable measures such as:
- segmenting or isolating data systems and networks;
- encryption and authentication;
- proper patch management;
- anti-malware detection systems;
- an up-to-date, secure and tested backup procedure;
- training, education and awareness programmes for employees.
• Human errors
Human errors, both intentional and unintentional, are also a very common cause of personal data breaches. Cases discussed in the EDPB’s guidelines include a case of an employee copying business data from the company’s database in order to use them for the benefit of his new business, a case in which a trusted third party gains access to information related to customers beyond its scope as a result of faulty settings in an Excel file received by e-mail, and a case of an employment department that sends an e-mail message to the individuals registered in its system as jobseekers, but by mistake attaching a document containing all these jobseekers’ personal data.
Although the EDPB notes that with these types of data breaches, it is hard for data controllers to identify the vulnerabilities and adopt measures to avoid them, the guidelines list various measures that should help to lower the chance of breaches like these occurring, such as:
- training, education and awareness programmes for employees;
- well thought out access policies and constant control;
- checking unusual dataflow between the file server and employee workstations;
- disabling the company related account of the user as soon as the person leaves the company;
- take appropriate legal action if necessary;
- setting exact standards for sending letters / e-mail;
- application of the four-eyes principle;
- application of message delay;
- disabling autocomplete when typing in e-mail addresses.
• Loss or theft of devices and paper documents
The EDPB also discusses the loss or theft of devices and paper documents. In this regard, the EDPB looks at the theft of an electronic notebook device of an employee storing personal data of more than 100,000 customers with no password protection or encryption, the theft of tablets containing an app with personal data about children but protected by a strong password, and the theft of a paper log book from a drug addiction rehab facility with identity and health data of patients.
Here as well, the EDPB concludes with a list of advisable measures to prevent such breaches from occurring, including:
- the use of encryption, passwords and multi-factor authentication;
- the use of mobile devices management software and localization;
- if possible and appropriate, save personal data not on a mobile device, but on a central back-end server;
- use a secure VPN;
- provide physical locks to employees;
- proper regulation of device usage inside and outside the company
- avoid storing sensitive information in mobile devices or hard drives.
Please contact Karel Janssens for further information regarding the above and/or for general legal advice relating to privacy and data protection.