On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here).  The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.

The Guidelines are currently open for public consultation until March 2, 2021.  In this blog post, we summarize a few key takeaways from the Guidelines.

The Guidelines reiterate at the outset that the GDPR establishes a low threshold for notifying personal data breaches to a supervisory authority.  Specifically, under Article 33 GDPR, a controller must notify a personal data breach to a competent supervisory authority (which must occur “without undue delay and, where feasible, not later than 72 hours after having become aware of it”) unless the data breach is “unlikely to result in a risk” (our emphasis) to individuals’ rights and freedoms.

By contrast, notifying a personal data breach to affected individuals under Article 34 GDPR (here, “without undue delay”) is required only if the breach is “likely to result in a high risk” (emphasis added) to individuals’ rights and freedoms.

The bar to notify supervisory authorities of a breach under the GDPR is therefore lower than to notify affected individuals; as such, Article 33 GDPR appears to make the obligation to notify the supervisory authority the rule.  The Guidelines also emphasize the obligation to keep internal records of breaches in each and every case – whether or not notification is required.

In short, Articles 33 and 34 of the GDPR require a data controller to, within a very short period of time, carefully assess the risk(s) of a particular incident and decide whether or not notification is required by law – a decision which may have far-reaching consequences.  The EDPB acknowledges that its existing Guidelines on personal data breach notification (available here) do “not address all practical issues in sufficient detail”.  As a result, the EDPB has expanded these Guidelines to include illustrative examples and more detailed recommendations, to serve as a practical resource to help organizations comply.  Some national supervisory authorities have also provided guidance and parameters in the meantime, in order to help organizations assess and qualify the risks associated with a data breach.  For example,  the conference of the German supervisory authorities (DSK) has published the so-called Kurzpapier 18 (available here), which describes the various steps organizations should take in the course of a risk assessment, including various risk allocations.

The EDPB’s draft Guidelines are divided into six sections with examples of the following types of personal data breaches:

  • ransomware attacks;
  • data exfiltration;
  • internal human-related risks;
  • lost or stolen devices and/or documents;
  • postal mail-related breaches; and
  • social engineering.

For each example, the EDPB methodically considers:

  • the measures put in place (if any) by the data controller to protect personal data and prevent a breach;
  • the circumstances surrounding the breach;
  • the resulting risk based on the above factors;
  • mitigating steps that should be taken by the controller; and
  • the controller’s ensuing obligations.

These case studies may serve as helpful benchmarks for organizations seeking greater clarity about the types of data incidents that meet the notification threshold, and those that do not.  The Guidelines provide only general guidance and do not obviate the need for a detailed analysis of each individual case.

The Guidelines are significant in that they give recommendations on specific types of technical and organizational measures that data controllers should consider implementing to prevent a personal data breach and reduce the severity of a breach.  These include measures to:

  • prevent/mitigate the impacts of ransomware attacks (e.g., by forwarding or replicating all logs to a central log server, possibly including the signing or cryptographic time-stamping of log entries); and
  • prevent/mitigate credential-stuffing attacks (e.g., by ensuring there are strong user privileges and access controls in place).  The Guidelines’ emphasis on strong access controls notably echoes the advice of the UK Information Commissioner’s Office when it announced a recent fine against Marriott International in relation to a major data breach.

Finally, the Guidelines stress the need for organizations to adequately prepare for personal data breaches well in advance.  They state that “[e]very controller should have plans [and] procedures in place for handling eventual data breaches… [as well as] clear reporting lines and persons responsible for certain aspects of the recovery process.”  The Guidelines call on organizations to implement an incident response plan, a disaster recovery plan, a business continuity plan, and a “Handbook on Handling a Personal Data Breach” to train, educate and raise awareness among employees.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Lars Lensdorf Lars Lensdorf

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry…

Lars Lensdorf is a partner in the Frankfurt office. He focuses on IT law, outsourcing, digitalization/ industry 4.0, IT related bank regulatory matters and data protection. Dr. Lensdorf’s practice covers all types of IT and outsourcing agreements, all matters of digitalization and industry 4.0, including online procurement platforms, IT-compliance matters (including cybersecurity) as well as data protection.

Furthermore, he is also focused on interfaces to other practice areas to the extent that IT related matters are affected, e. g. regulatory requirements for banking and financial services as well as public procurement law. A significant part of Dr. Lensdorf’s practice is currently advice in connection with the implementation of the GDPR (data protection) in Europe.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Nicholas is a member of the Bar of Texas and Brussels Bar (Dutch Section, B-List). District of Columbia bar application pending; supervised by principals of the firm.