The European Data Protection Board (“EDPB”) has published supplementary guidelines (“Guideline”) to the existing personal data breach notification issued by its predecessor Article 29 Working Party. The Guidelines include 18 case studies based on EU data protection authorities’ collective experience, covering data breaches arising from ransomware, data exfiltration attacks, human errors or risks, loss of devices or documents, posting errors and social engineering.
Additionally, the Guidelines set out the rationale for whether to notify data subjects and/or supervisory authorities in respect of breaches in each scenario, as well as suggested mitigation steps to take and best practices after the data breaches.
Why are the Guidelines needed and their relevance to UK businesses
The existing guidance on data breach notification predates the General Data Protection Regulations (“GDPR”). During the two and half years since GDPR was implemented, many supervisory authorities have experienced over-reporting of potential data breaches, yet some of the more serious breaches were not reported promptly. The Covid-19 crisis has also fast-tracked technology transformation across almost all sectors, which has given rise to increased cybersecurity and privacy risks. The updated, refreshed and scenario-based guidelines reflecting the changing landscape of cyber security and personal data breaches will therefore be welcomed by businesses and public sector entities across the EU and UK.
Whilst the UK has left the European Union, UK businesses that are caught by the GDPR’s extra territorial scope, for example by targeting EU data subjects and selling goods or services to them, will still need to comply with GDPR. Personal data of EEA data subjects collected prior to 31 December 2020 also continues to be regulated by GDPR as it stood on that date. Even for personal data caught only by the now UK-version of GDPR, the UK ICO has acknowledged that most pre-existing EDPB guidance remain to be helpful and persuasive for the UK regime and, to avoid the risk of the UK not obtaining an adequacy decision from the EU, the UK ICO is likely to take similar approaches to EDPB guidance in practice.
Key takeaways from the Guidelines
As the Guidelines are scenario-based, each scenario contains nuanced differences in its factual matrix. The Guidelines are therefore worth a thorough read for data protection professionals and DPOs.
However, the Guidelines present a few common themes which we have summarised below.
- The Guidelines are relevant for enforcement actions - The scope of the Guidelines extend to mitigation steps businesses can take and security measures to be implemented after data breaches, meaning that the Guidelines could also be relevant when supervisory authorities are determining whether appropriate security measures have been implemented when deciding on enforcement actions.
In particular, the EDPB highlighted the importance of organisations having appropriate breach procedures in place and re-emphasised the importance of regular training sessions. The EDPB also noted that Controllers handling sensitive data (including financial information) bear a higher degree of responsibility to ensure the security of the personal data processed and that failure to achieve these higher standards will result in more serious measures being imposed by supervisory authorities.
- Consider impact of a data breach on the confidentiality, integrity and availability of the data - Throughout the Guidelines, the EDPB has considered the impact of each data breach on these three aspects of the affected data. In most cases, breaches of data confidentiality are likely to result in higher risks than simple breaches of availability.
The Guidelines highlight examples where mere data unavailability can trigger notification obligations under GDPR. For example, unavailability of hospital records is considered to be likely to result in material impacts on affected data subjects (e.g. delay in treatments) and therefore could still trigger GDPR notification obligations.
- Factors relevant for determining whether a breach is of high risk and therefore should be notified are non-exhaustive, however we have identified the following points to note:
- The nature, volume and context of personal data affected and the potential impact on the data subjects: for example loss of special category data, data revealing a person’s private life, or data that may lead to identity theft or financial loss of the data subject is more likely to give rise to notification obligations.
- the nature of the unauthorised access is relevant: for example, whether the data accessed without authorisation had also been copied or exfiltrated. In general unauthorised access without exfiltration are considered to be lower risk.
- whether the compromised data has been encrypted using state-of-the-art techniques, whether the de-encryption key has been compromised, and in the case of passwords whether cryptographic hashing and salting have been applied. Where such technical measures are not put in place, the data breach is more likely to present higher risks to individuals.
- whether the adverse effect of a data breach can be mitigated within the urgent notification timeframe: for example by recovering the compromised data from well-maintained back-ups within the 72-hour time limit for notifying a data breach. Difficulties in recovering compromised data during such period will increase the risks that the data breach poses to the relevant data subjects.
This article was written by Yunzhe Zhang