Written by 11:52 EDPB, Media, News from the market

What a company should do in the event of a data breach


by Vincenzo Tiani

On 14 January 2021, the European Data Protection Board (Edpb) published its guidelines to help companies and professionals in the event of a data breach. Open for feedback until 2 March, this document includes more practical examples than the previous one published in 2017 and takes into account the evolution of cyber attacks in recent years.

A data breach, let us remember, can involve a ‘breach of confidentiality’ – when there is an unauthorised or accidental disclosure of, or access to, personal data; a ‘breach of integrity’ – when there is an unauthorised or accidental alteration of personal data; a ‘breach of availability’ – when there is an accidental or unauthorised loss of access to or destruction of personal data. Damage can range from the mere disclosure of one’s e-mail to phishing, account withdrawals, and disclosure of confidential information.

Depending on the seriousness of the data breach, which may be the result of a targeted attack or may be entirely accidental, the General Data Protection Regulation, the GDPR, provides for three cumulative possibilities (Articles 33 and 34): internal documentation of the incident, communication to the Supervisor if there is a risk for the rights and freedoms of the data subjects, and communication to the data subjects if this risk is considered high. The communication, which must be made within 72 hours from the time when it becomes known, must describe the nature of the breach, indicating the type of data concerned (e.g. if it is special categories of data), the number, the circumstances, the likely consequences of the breach and the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible negative effects.

Since such an assessment is not easy to make and has to take into account several factors, the EDPB proposed eighteen examples in its guidelines, including typical cases such as ransomware, data exfiltration attacks, data loss due to human error, loss or theft of data on devices and paper documents, and social engineering.

Read the article on Wired Italia (in Italian).