The European Data Protection Board (“EDPB”) published a draft of supplementary guidelines for responding to, handling, and managing personal data breaches. The guideline is meant to add to the previous guideline on data breaches published by the EDPB’s predecessor in October 2017. The new guidelines attempt to address practical issues related to managing data breaches.
The guidelines cover different representative types of data breaches, such as ransomware, accidental and intentional unauthorized disclosure of data, and loss of physical devices containing personal data. In each event, the controller must document the data breach, its effects, and the remedial action taken and consider whether notification of the data breach to the relevant supervisory authority and data subjects is necessary.
The EDPB also provides specific recommendations for each category and use case of data breaches. For example, in the event of ransomware, the EDPB stresses the significance of timely backup and restoration procedures and systems to mitigate the adverse effects of such breach, as well as isolating data systems and networks to avoid propagation of malware within the organization.
The EDPB also recommends that every controller have procedures in place for handling data breaches, with clear reporting lines and persons responsible for certain aspects of the recovery process.
The guidelines are open to public comments until March 2, 2021.
CLICK HERE to read the EDPB draft guideline on examples regarding data breach notification.