This past year has forced us to adapt in various ways. "Normal" work life quickly moved from dropping the kids off at school on the way to the office to working from home while keeping an eye on the kids' distance learning. But the pandemic also changed the work life of criminals. While the number of burglaries has dropped, cybercrimes are at a new all-time high. Home office networks have formed new gateways for cybercriminals. From a company's perspective, cybercrimes are a multi-layered threat: the company's data and business secrets are exposed, its reputation is at risk, GDPR compliance becomes even harder to ensure, and considerable fines more difficult to avoid. This might be why the European Data Protection Board released new complementary Guidelines on Data Breach Notifications ("Guidelines" to be found here) earlier this year. These new Guidelines pro-vide examples of best practices to prevent data breaches in the first place and explain how to assess the GDPR-related consequences (i.e. notification of supervisory authority YES/NO, notification of data subjects YES/NO). Clearly, the Guidelines are based on the EU-wide experience the national supervisory authorities have collected over the last (al-most) three years. The Guidelines further show – once more – the European Data Protection Board's effort to seek "technical solutions", like high standards of data encryption at rest, electronic back-up systems, etc. The draft Guidelines were open for public consultation until March 2nd.

EDPB Examples re Data Breach Notification

Risks identified / samples provided by the EDPB:

  • ransomware
  • data exfiltration attacks
  • internal human risk source
  • lost or stolen devices and paper documents
  • mispostal (accidental and on purpose)
  • other cases – social engineering
 For each of the above-mentioned categories of risks the EDPB analysed:
  • prior measures: what controllers should do to prevent breaches in the first place
  • risk assessment: how a controller will evaluate the risk
  • mitigation steps: mitigating measures a controller should take if a breach occurs
  • obligations: whom to notify if a breach occurs and how to document a breach internally

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.