New Guidelines for Notification of Personal Data Breaches
Author: Sanda Planinc
1. Obligation to Report in the Event of a Personal Data Breach
The General Data Protection Regulation (“GDPR”) has set a number of new obligations for organizations, including the obligation to inform the supervisory authority (Information Commissioner) of identified data breach if the breach is likely to result in a risk to the rights and freedoms of individuals. The notification must be provided without undue delay after the detected data breach or within 72 hours at the latest. Where the breach poses a significant risk to the rights and freedoms of individuals, the data subjects concerned must also be directly informed of the breach. This obligation has a rather wide scope, as with rare exceptions, all companies today process personal data and are at risk of data breach.
2. New Guidelines on Personal Data Breaches
On 18 January 2021, the European Data Protection Board published draft Guidelines no. 1/2021 with examples of personal data breaches (the “Guidelines”) to which the interested public may provide comments by 2 March 2021. These Guidelines complement the Guidelines on the notification of personal data breaches of the previous Article 29 Working Party, which were issued in 2018, and take into account the common experiences of the national supervisory authorities since the GDPR became applicable, with the aim of making it easier for organizations to take decisions in relation to a detected data breach.
The Guidelines contain practical examples which aim to clarify the obligation to report data breach to the supervisory authority and the individuals concerned. Infringements are divided into six major groups:
- data exfiltration attacks;
- internal human risk source;
- loss or stolen devices and paper documents;
- mispostal and
- social engineering.
The Guidelines include examples of good and bad practice in relation to each breach, together with the recommendations for preventive measures, risk assessment, proposals for organizational and technical measures to prevent and mitigate the impact of data breaches, and explanation of whether the breaches have to be reported to the supervisory authority and / or affected individuals.
3. Notifications in Slovenia
The latest public data of the Information Commissioner regarding the number of data breach notifications refer to 2019, when 137 notifications were received. Most notifications concerned i) transfer of personal data documents (e.g. medical records, invoices, administrative documents, debit cards) to the wrong persons as a result of unintentional human error or inaccurate data in personal data files and ii) the loss of access to personal data (ransomware, loss or theft of username and password). These violations and related obligations are now explained in more detail in the respective Guidelines. After adopting the final version of the Guidelines it is recommended that organizations review and update their internal data breach procedures and to follow Guidelines in case of detected data breach.