The Italian Data Protection Authority, with the newsletter 472 of 25 January 2021, announced that on 14 January, the EDPB (“European Data Protection Board”) adopted new Guidelines (“Guidelines 01/2021 on Examples regarding Data Breach Notification”, the “Guidelines”) aimed at supporting companies and public administration in correctly addressing data breaches and defining risk management processes.
The document adds to the previous guidelines of Working Party 29 (“Guidelines on Personal data breach notification under Regulation 2016/679”) which, include a technical-theoretical analysis of what is prescribed by Regulation (EU) 2016/697 (the “Regulation”) about personal data breaches (or “Data Breach”).
Considering information security principles, recalling “Opinion 3/2014” and “Guidelines WP 250”, EDPB provides a classification of the type of breaches, namely:
- “confidentiality breaches” – occur when there is an unauthorised disclosure of or access to personal data;
- “integrity breaches” – occur when there is an unauthorised or accidental alteration of personal data;
- “availability breaches” – occur when there is an accidental or loss of access to or destruction of personal data.
Aiming to provide useful guidance to data controllers and data processors on how to handle a personal data breach correctly, the Guidelines illustrate what to avoid (e.g. failure to encrypt data). They also contain numerous practical case studies involving hospitals, banks, businesses and online service companies of various kinds in different European countries.
These case studies describe the preventive measures that can be taken and suggest how to carry out a breach risk assessment, the potential measures that can be taken to reduce the risks and legal obligations that must be met.
EDPB launched a European public consultation on the document that will end on 2 March 2021.
Others insights related: