Examples regarding personal data breach notification
By Mugurel Olariu, RPD protectie date
The European Data Protection Board – EDPB, adopted at its meeting of 14 December 2021 version 2.0 of Guideline 1/2021 on Examples regarding Personal Data Breach Notification. We mention that it was adopted in version 1.0 on 14.01.2021, for public consultation.
We also specify that the approach in question is a continuation of the efforts of the Working Party art.29 – WP29, respectively Opinion 3/2014 on Notification of personal data breach – WP 213 and Guidelines on personal data breach notification under Regulation 2016/679 – WP 250 – adopted on 3 Oct. 2017, revised on 16 Feb. 2018, in order to better clarify this issue.
This document is intended to complement the WP 250 Guidelines and reflects the common experiences of EEA supervisors since the GDPR became applicable. Its purpose is to help data operators decide how to manage data security breaches and what factors to consider when assessing risk.
As part of any attempt to address / treat an infringement, the operator should first be able to recognize one. The GDPR defines a “breach of security of personal data” in Article 4 (12) as “a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed ”.
Breaches can be categorised according to the following three well-known information security principles:
● “Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data.
● “Integrity breach” – where there is an unauthorised or accidental alteration of personal data.
● “Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals. One of the most important obligation of the data controller is to evaluate these risks to the rights and freedoms of data subjects and to implement appropriate technical and organizational measures to address them.
Guide 1/2021 brings to light six categories of data security breaches, namely: Ransomware, Data Exfiltration Attacks, Internal Human Risk Source, Lost or Stolen Devices and Paper Documents, Mispostal and Other cases – social engineering with Identity theft and Email exfiltration.
The principle of accountability and the concept of data protection by design could include analyzes that are embodied in the own “Manual for the management of personal data breach” of a data controller’s and processor’s which aims to establish the possible situations in each major stage of processing. Such a pre-prepared manual would provide a much faster source of information to enable data controllers and processors to reduce risk and meet obligations without undue delay. This would ensure that if the data breach occurred, the organization’s staff would know what to do, and the incident would probably be dealt with more quickly than if there were no mitigations or plan in place.
Although the cases presented in Guide 1/2021 are fictitious, they are based on typical cases of notifications of breaches of the security of data collected from the practical experience of national supervisors. The analyzes provided explicitly refer to cases under control, but with the aim of assisting data controllers in assessing their own data security breaches.
Any change in the circumstances of the cases described may result in different or more significant levels of risk, thus requiring different or additional measures. This guide structures the cases according to certain categories of violations (for example, ransomware attacks). Specific remedies are needed in each case when dealing with a particular category of infringements. These measures are not necessarily repeated for each case in the analysis which belongs to the same category of infringements. For cases belonging to the same category, only the differences are established. Therefore, the operator should read all the cases relevant to the category in question of an infringement in order to identify and distinguish all the correct measures to be taken.
The internal documentation of an infringement is an obligation independent of the risks associated with the infringement and must be carried out in each and every case. The cases presented in the guide seek to clarify whether or not the breach is notified to the National Supervisory Authority and when the information of the affected data subjects is communicated.
The 18 examples given are structured on the presentation of the working hypothesis, sections of preliminary measures and risk assessment, respectively of the mitigation measures and a scheme of the obligations of the controller and of the processor. The obligations are presented schematically by check marks with concrete reference to the actions of intent documentation, notification of the supervisory authority and information of the data subject respectively.
At the same time, we have in mind the working tandem of data controller – processor, which according to art.33 paragraph (2)[1] of the GDPR establishes the obligation to notify the controller, without undue delay, by the processor.
————————————————————
[1] Art.33 of GDPR – (2) The processor shall notify the controller without undue delays after becoming aware of a personal data breach.