September 27, 2021

Volume XI, Number 270

Advertisement

September 27, 2021

Subscribe to Latest Legal News and Analysis

Companies Have Until March to Comment on EDPB Data Breach Notification Guidelines

Many supervisory authorities across Europe have reported increasing numbers of data breach notifications since the introduction of GDPR. While most companies are now familiar with the 72-hour reporting obligation for controllers to supervisory authorities, whether such obligation has been triggered continues to present unique and complex questions in each specific security event. To help aid companies sorting through these potential legal notification obligations in the aftermath of a security event, the EDPB recently released draft guidance, which is open for comment until 2 March 2021.

The guidelines are intended to supplement the October 2017 general guidance provided by the Article 29 Working Party, the predecessor to the EDPB. The guidelines walk through 18 examples covering the most common security event scenarios, including ransomware attacks, data exfiltration attacks, human errors lost or stolen devices and paper documents, “mispostal,” and social engineering, such as identity theft and email exfiltration. For each example scenario, the EDPB identifies whether notification would be required to the relevant supervisory authority or data subjects, as well as mitigation measures.

The guidelines also note several recommendations for data breach management such as implementing plans, procedures and guidelines, regular employee training, and documenting breaches in each and every case, irrespective of the risk they pose.

Putting it Into Practice: Notification obligations are very fact specific and will depend on the circumstances of each unique event. Organizations are reminded of the importance of data breach preparedness efforts. This includes activities such as preparing incident response plans and playbooks, training of those plans, simulating an event through a tabletop scenario, and reviewing cyber insurance policies. The EDPB guidelines are open for public comment until March 2, 2021. Feedback may be submitted here.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 32
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Advertisement
Advertisement
Advertisement