An EDPB Update: Guidelines on Examples Regarding Data Breach Notification

The recently adopted EDPB guidelines on examples regarding data breach notification complement the Article 29 Working Party guidance on data breach notification by introducing more practice-orientated guidance and recommendations. The guidelines, adopted on January 14, 2021, and available for public commentary, aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Content Assessment: An EDPB Update - Guidelines on Examples Regarding Data Breach Notification

Information - 95%
Insight - 90%
Relevance - 90%
Objectivity - 95%
Authority - 95%

93%

Excellent

A short percentage-based assessment of the qualitative benefit of the recent post highlighting EDPB guidelines on examples regarding data breach notification.

Editor’s Note: The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. Recently, the EDBP adopted guidelines on examples regarding data breach notifications. According to the adopted guidelines, as part of any attempt to address a breach, a data controller should first be able to recognize one. The GDPR defines a “personal data breach” in Article 4(12) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Provided for your review and use is a complete copy of the recently published guidelines as they may be useful to legal, business, and information technology professionals operating in the eDiscovery ecosystem seeking to more efficiently recognize and better understand data breaches.

Taken from the European Data Protection Board (EDPB)

EDPB Adopts Guidelines on Examples Regarding Data Breach Notification 

Overview

The EDPB adopted guidelines on examples regarding data breach notification. These guidelines complement the Article 29 Working Party (WP 29) guidance on data breach notification by introducing more practice-orientated guidance and recommendations. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The guidelines contain an inventory of data breach notification cases deemed most common by the national supervisory authorities (SAs), such as ransomware attacks; data exfiltration attacks; and lost or stolen devices and paper documents. Per case category, the guidelines present the most typical good or bad practices, advice on how risks should be identified and assessed, highlight the factors that should be given particular consideration, as well as inform in which cases the controller should notify the SA and/or notify the data subjects. The guidelines will be submitted for public consultation for a period of six weeks.

Guidelines Extract

As part of any attempt to address a breach, the controller should first be able to recognize one. The GDPR defines a “personal data breach” in Article 4(12) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

In its Opinion 03/2014 on breach notification and in its Guidelines WP 250, WP29 explained that breaches can be categorized according to the following three well-known information security principles:

  • “Confidentiality breach” – where there is an unauthorized or accidental disclosure of, or access to, personal data.
  • “Integrity breach” – where there is an unauthorized or accidental alteration of personal data.
  • “Availability breach” – where there is an accidental or unauthorized loss of access to, or destruction of, personal data.

A breach can potentially have a range of significant adverse effects on individuals, which can result in physical, material, or non-material damage. The GDPR explains that this can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals. One of the most important obligations of the data controller is to evaluate these risks to the rights and freedoms of data subjects and to implement appropriate technical and organizational measures to address them.


Review the Complete Guidelines Document (PDF) from the EDPB

EDPB Guidelines 01:2021 on Examples Regarding Data Breach Notification

Read the original Guideline document from the European Data Protection Board


Additional Reading

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

A (Brand) New Approach? Considering the Framework and Structure of eDiscovery Offerings

Today’s eDiscovery providers may benefit from the lessons learned in the creation of the Sgt. Pepper’s Lonely Hearts Club Band album by creating a concept for branding and packaging their offerings within that brand in a connected, theme-based way that represents the offerings’ promise and capability in a way that is easy to understand and remember.

This fictionalized branding approach was developed from the intellectual exercise of trying to figure out a reasonable and memorable way to descriptively highlight the promise and capabilities of offerings typically delivered by full-service eDiscovery providers. It may not be completely comprehensive or fully normalized. However, the hope of sharing this branding example is that it might help those involved in the branding and communication of eDiscovery provider services and solutions.

First Legal Acquires eDiscovery Provider Redpoint Technologies

According to Alex Martinez, CEO of First Legal, “Both First Legal...

Veristar Acquires Planet Data

According to Veristar company founder, CEO, and president Rick Avers, “We...

Questel Acquires doeLEGAL

doeLEGAL today announced that it has been acquired by intellectual property...

Following the Money? Mike Bryant Provides a SOLID Look at Legal Tech Merger and Acquisition Activity

From seed and venture capital investments to private equity and Special...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on eDiscovery for February 2021

From litigation trends and legal tech investing to facial recognition and...

Five Great Reads on eDiscovery for January 2021

From eDiscovery business confidence and operational metrics to merger and acquisition...

Five Great Reads on eDiscovery for December 2020

May the peace and joy of the holiday season be with...

Five Great Reads on eDiscovery for November 2020

From market sizing and cyber law to industry investments and customer...

HaystackID Recognized in IDC MarketScape for eDiscovery Services

According to HaystackID CEO Hal Brooks, “We are proud to once...

A Generational View of Remote Security? HaystackID™ Releases 3.0 Security Enhancements to Review Technology

According to HaystackID's Senior Vice President and General Manager for Review...

Only a Matter of Time? HaystackID Launches New Service for Data Breach Discovery and Review

According to HaystackID's Chief Innovation Officer and President of Global Investigations,...

It’s a Match! Focusing on the Total Cost of eDiscovery Review with ReviewRight Match

As a leader in remote legal document review, HaystackID provides clients...

Cold Weather Catch? Predictive Coding Technologies and Protocols Survey – Spring 2021 Results

The Predictive Coding Technologies and Protocols Survey is a non-scientific semi-annual...

Out of the Woods? Eighteen Observations on eDiscovery Business Confidence in the Winter of 2021

In the winter of 2021, 85.0% of eDiscovery Business Confidence Survey...

Issues Impacting eDiscovery Business Performance: A Winter 2021 Overview

In the winter of 2021, 43.3% of respondents viewed budgetary constraints...

Not So Outstanding? eDiscovery Operational Metrics in the Winter of 2021

In the winter of 2021, eDiscovery Business Confidence Survey more...