Guidelines adopted on examples regarding data breach notification

In January 2021 the European Data Protection Board adopted guidelines on examples regarding data breach notification. These guidelines complement the Working Party 29 guidance on data breach notification by introducing more practice orientated guidance and recommendations. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment. The guidelines contain an inventory of data breach notification cases deemed most common by the national supervisory authorities, such as ransomware attacks, data exfiltration attacks, or lost or stolen devices and paper documents.

The guidelines present the most typical good or bad practices, advice on how risks should be identified and assessed, highlight the factors that should be given consideration, as well as inform in which cases the data controller should notify the supervisory authorities and/or notify the data subjects. The guidelines will be submitted for public consultation for a period of six weeks.