The EDPB Releases Draft Practical Guidelines on Personal Data Breach Notification

The EDPB Releases Draft Practical Guidelines on Personal Data Breach Notification

The European Data Protection Board (“EDPB”) has recently released new draft guidelines on personal data breach notification.  

These new guidelines complement the previous and more general guidelines on the same subject that were issued by the EDPB, then the article 29 Working Party, in October 2017 (see here for more details)

Although quite comprehensive, the previous guidelines lacked practical details in certain regards as they were drafted at a time where the authorities and organisations did not have much experience of personal data breach notification. More than two years later, the EDPB has decided to provide guidelines made up of practical examples taken from their experiences.

Personal Data Breach Notification

Personal Data Breach Notification

Under the General Data Protection Regulation (GDPR), controllers mustnotify:

the competent authority of any personal data breach likely to result in a risk to the right and freedoms of the data subjects;

the individuals concerned of any personal data breach likely to result in a high risk to their rights and freedoms.

It is therefore important for a controller to understand what a personal data breach is and to be ready to react promptly and appropriately when it happens.