EDPB publishes Guidelines on Examples regarding Personal Data Breach Notification

11th January 2022data breach

The European Data Protection Broad (EDPB) has recently updated the Guidelines on Examples regarding Personal Data Breach notification. The document includes eighteen examples of data security incidents that vary in risk and the essential mitigating measures.

Every example in the Guideline comes with a recommendation on what to do based on the identified risks, mainly recording the incident in the internal breach and business risks registers, notifying the organisations’ relevant data protection supervisory authority, and then notifying the individuals affected.

But what is a personal data breach?

A personal data breach is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’.

It is helpful to note, that for the purpose of the definition, the legislation makes no differentiation whether the breach occurred as a result of accidental or deliberate causes.

Personal data breaches can include:

  • Access by an unauthorised third party
  • Deliberate or accidental action (or inaction) by a controller or processor
  • Sending personal data to an incorrect recipient
  • Computing devices containing personal data being lost or stolen
  • Alteration of personal data without permission; and
  • Loss of availability of personal data.

Additionally, the Guidelines cover various forms of data security incidents, such as ransomware, data exfiltration attacks, exfiltration of emails, insider threats.

The specifics of individual incidents can vary, which means that different conclusions will apply to each matter. However, below for reference is a high-level summary of the notable examples from the EDPB guidelines and act as an important reminder about data breach reporting rules.

  • Ransomware with proper backup and no exfiltration

If there has been a ransomware incident, where the organisation (with the help of forensic experts) can determine that the intruder only encrypted data without exfiltrating it and a backup is available. The Guidelines reveal that the organisation should only record the incident in their internal register and that no notifications are required.

  • Ransomware with backup and no exfiltration in a hospital

When a hospital determines that an intruder only encrypted data without exfiltrating it, the Guidelines highlight this case as an example of a ransomware attack with high risk to the rights and freedoms of individuals. This is because the restoration of the data lasts a couple of days and can lead to delayed medical procedures and affect the services. Meaning that the hospital will need to document this in the internal register and notify the supervisory authority and the individuals that have been affected.

  • Accidental transmission of data to a trusted third party

The example refers to an insurance agent who was able to view personal data belonging to a few customers that were not his; this was due to faulty settings in Excel. The insurance agent, who was bound by professional secrecy, flagged this issue for the personal data controller, deleted the flawed Excel file, and confirmed the same in writing for the controller.

Considering that there was a low number of affected individuals, the incident had immediate detection, and it had been resolved following the appropriate measures, which means that the incident does not result in any risk to the individuals, which concludes that this incident must only be documented in the organisation’s internal register.

  • Exfiltration of hashed passwords from a website

The use of a SQL injection vulnerability exploited the server of a cooking website, which led to the exfiltration of almost 1,200 hashed and salted* passwords. Though the confidentiality of data has been compromised, the Guidelines highlight this as an example of an incident that did not require notification to the supervisory authorities or affected individuals. Given the strong hash, the salt was not compromised, and the individuals were notified informally, advising they change their passwords.

*Salting is simply the addition of a unique, random string of characters known only to the site to each password before it is hashed.

Not only does the Guidelines provide a useful benchmarking tool for when addressing security incidents and personal data breaches, it also offers a valuable insight into the EDPB’s most crucial risk considerations when determining the notification strategy following a security incident.

Notably, many of the examples outlined in the Guidelines do not require notification to supervisory authorities or affected individuals.

They mandate that a risk assessment should be carefully conducted and documented when following each security incident and that notification to the supervisory authorities and affected individuals should only be made when an assessment has identified a risk or high risk to the rights and freedoms of individuals.

You can find the updated EDPB Guidelines on Examples regarding Personal Data Breach Notification here.

It is important to note that you should contact Griffin House Consultancy within 24 hours if you have a breach, as it is vital to get things right as soon as possible.

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.