‘Handbook’ to manage data breaches recommended

Out-Law News | 21 Jan 2022 | 2:44 pm | 2 min. read

Businesses are being urged to plan ahead on how they will manage data breaches when they arise.

The European Data Protection Board (EDPB) said data controllers and processors could develop a ‘handbook’ on handling personal data breaches “that aims to establish facts for each facet of the processing at each major stage of the operation”.

It added: “Such a handbook prepared in advance would provide a much quicker source of information to allow data controllers and data processors to mitigate the risks and meet the obligations [under the EU General Data Protection Regulation of notifying personal data breaches] without undue delay. This would ensure that if a personal data breach was to occur, people in the organisation would know what to do, and the incident would more than likely be handled quicker than if there were no mitigations or plan in place.”

The recommendation, contained in new guidelines issued by the EDPB, was endorsed by David McIlwaine, a cyber risk expert at Pinsent Masons. He said it chimes with the growing threat of cyber crime businesses are seeing and their increased appetite for help in anticipating incidents.

“We have seen a significant increase in the number of businesses who want advice on their cyber-readiness programme, so that they have a documented playbook and approach for handing cyber incidents,” McIlwaine said. “This is no doubt in response to the significant increase in ransomware attacks in the last 18 months, which brings critical business decisions immediately into focus, such as ‘should I engage with the attacker’, ‘can I do that lawfully’, ‘is it lawful to make a ransom payment’, or ‘what steps do I need to mitigate risk’ and ‘does that position change according to jurisdictions affected’?”

“These are serious decisions for the board, and ones which potentially involve criminal liability, so we encourage businesses to plan ahead for this. Pinsent Masons’ Cyturion – a cyber readiness tool helping organisations become better prepared to managing incident response – is an example of the resources available to businesses,” he said.

Under the EU GDPR, controller organisations are obliged to disclose certain personal data breaches to data protection authorities and affected individuals. A personal data breach is defined under the Regulation as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

Controller organisations must notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is likely to be a high risk to the rights and freedoms of the data subject then the data subjects must be informed directly without undue delay.

The EDPB’s new guidelines, which contain examples of personal data breach notification under the EU GDPR, make several references to the responsibilities of processors, and not just controllers, in relation to managing a personal data breach.

According to the guidance, processors as well as controllers should have plans and procedures in place for handling data breaches. This represents an expansion of the preparations that processors should put in place to meet the data protection regime.

While processors have their own security obligations under Article 32 of the EU GDPR, they do not have obligations to notify personal data breaches to the national data protection authority, or to individuals – this is the preserve of the controller. However, the processor must notify the controller of a personal data breach without undue delay, and the legislation requires the processor to be put under a contractual obligation to assist the controller with its reporting obligations, which are governed by Articles 33 and 34 of the EU GDPR.

In its guidance, the EDPB also addressed considerations controllers should have when deciding whether and when to report data breaches to data subjects. It cited a recital to the EU GDPR itself, appearing to confirm that the timeline for notifying data subjects is contingent on the nature of the risk posed to the individuals in question.

A further clarification also highlighted the EDPB’s view that notifying affected data subjects on a collective basis, such as through a posting on the company website, rather than on an individual basis may not be appropriate even where there are no details for the relevant data subject, if such a notification strategy may increase risk to the data subject.

Other amendments made to an earlier version of the guidance indicate an increase in the EDPB’s expectations in terms of security measures that organisations need to put in place to address the risk of data breaches. These include increased focus on the importance of backups, including the need for those to be multiple, regular and isolated, and specific mention of multi-factor authentication as a baseline security measure.

Co-written by Rebecca Townsend of Pinsent Masons.