CIPL provides a response to the EDPB guidelines on examples of data breach notification
On March 2, 2021, the Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth submitted its response to the consultation of the European Data Protection Board (“EDPB”) on draft guidelines on examples of data protection breaches (the “Guidelines” ). ). The guidelines were adopted for public consultation on January 14, 2021.
The guidelines of the EDPB should contain specific use cases and recommendations for violations of personal data in order to support organizations in the implementation of relevant technical and organizational measures. (2) understand the risk factors to consider when assessing a data breach; and (3) decide whether notification to the Regulatory Authority (“SA”) or data subjects is required.
CIPL welcomes the guidance, which comes at a time when cyber-attacks intensify as a result of the remote working shift triggered by the COVID-19 crisis, and should help organizations avoid over-reporting.
CIPL includes comments on the specific use cases included in the guidelines, as well as key recommendations to the EDPB to better adapt to the realities organizations face in handling data breaches. These are to:
- Clarification of the relationship between the guidelines and previous Working Group 29 guidelines on reporting personal data breaches under the EU General Data Protection Regulation (“GDPR”);
- Recognition of the risk-based security approach of the GDPR;
- Avoid pointing out that organizational and technical measures can easily prevent data breaches without considering the specific context of each organization and the breach.
- Do not come to the conclusion that a data breach indicates incorrect organizational measures;
- Clarification that a risk assessment includes an analysis of the likelihood and severity of the risks to the rights and freedoms of individuals;
- Do not rely on the number of potentially affected people to determine if notification is required.
- Make sure that the risk analysis is carried out appropriately, taking into account the state of the art at the time of the breach, and only exclude speculative considerations or remote possibilities of the risk occurring.
- Be aware that global and sophisticated incidents may be more difficult to identify and lead to longer deadlines for communication with appropriate internal channels.
- Clarify how companies can reconcile a short notice period with the need for due diligence and taking corrective action in more complex scenarios. and
- Avoid setting thresholds that are too low to notify regulators and individuals.
Download CIPL’s full response to the consultation.