As is well known, the GDPR provides that in the event of a data breach, the competent supervisory authority or authorities must be notified if the breach results in a risk to the data subjects (Art. 33 GDPR, and if the breach is likely to result in a high risk to the data subjects, they must be notified of the breach (Art. 34 GDPR).
The European Data Protection Board has already issued on this issue in February 2018 Guidelines published. However, these guidelines left many questions unanswered, which is why the EDSA is now Draft additional guidelines with application examples has published (Guidelines 01/2021 on Examples regarding Data Breach Notification, Version 1.0, January 14, 2021.). The consultation period ends on March 2, 2021.
The guidance on examples is organized by different types of attacks and attack vectors and includes 18 examples:
- Ransomware if a back-up exists and no data is stolen;
- Ransomware without back-up;
- Ransomware if a back-up exists and no data is stolen, in a hospital;
- Ransomware without back-up and with data theft;
- Theft of applicant data from a website;
- Tapping an encrypted (hashed) password from a website;
- Brute force attack (“credential stuffing”) against an online banking website;
- Data theft by an employee;
- Accidental transmission of data to a trusted third partyTransmission
- various cases of theft of data contracts;
- various cases of accidental sending of data by mail and by e‑mail;
- Identity theft via social engineering over the phone;
- Email theft through forwarding rules.
In each case, the guidelines state – relatively succinctly – what measures could have been taken to prevent these security breaches and what measures the responsible party can take to mitigate the risks after the incident is discovered.