When should you notify a data breach? New EDPB guidance provides practical examples

New guidelines published on 14 January provide both practical examples of when to notify a data breach and “advisable measures” which organisations can take to mitigate their cyber risk. 

Since the introduction of GDPR, the ICO has received over 30,000 data breach notifications. It has also reported a major increase in queries from controllers on data breach notifications.  This has accelerated in recent months, not least as hackers target security systems made more vulnerable by the increased number of people working from home as a result of Covid-19. The ICO has been clear about this risk, warning businesses to review their cyber and data policies and to take appropriate steps to protect personal data, while at the same time reminding controllers that not every data breach needs to be reported.  Nonetheless, it remains the case that many still make ‘precautionary’ notifications through over-caution and risk-aversion.

Helpfully, the European Data Protection Board (EDPB) has now published draft guidelines on how to handle data breaches and mandatory notifications. These guidelines supplement the general guidance provided by the predecessor to the EDPB, the Article 29 Working Party, in October 2017 (Guidelines WP250) and provide the much-needed additional practical detail which, as recognised by the EDPB itself, was missing from the Guidelines WP250. Although EDPB guidelines are no longer binding on the UK data protection regime, the ICO has noted that they remain a useful reference and currently directs controllers to the old Guidelines WP250.

Drawing on the experience of data protection authorities across the EU, the EDPB guidelines take the form of eighteen worked-through examples, covering the most common (albeit fictitious, we are told) data breach scenarios, including ransomware attacks, data exfiltration attacks, human risks and lost or stolen hardware. They contain clear and practical advice on dealing with data breaches and notification within the GDPR timeframes, organised by type of breach or attack; for example, what to do if your business has been hit by a ransomware attack and no back-ups are in place, what to do if an ex-employee has taken data, etc. They also address what sort of risks a controller should consider when an incident has occurred and what information should be captured when documenting this process. Going forward, the ICO may well direct controllers to the new EDPB guidelines, given that preventing over notification of breaches is of benefit to both the ICO as well as controllers.

Finally, the guidelines also set out examples of what the EDPB considers “advisable measures” which controllers should implement to protect or mitigate against a range of data breach scenarios. These will be of particular interest to businesses currently reviewing or updating their own data/cyber security regimes, plans and policies in light of the current increased cyber threat.

The guidelines are open for public consultation until 2 March 2021, after which replies will be made available on the EDPB website.