The EDPB guidelines for data breaches – a review

On January 18, 2021, the European Data Protection Board (EDPB) published draft guidelines for data breach notifications were adopted for public consultation until 2 March 2021. Having reviewed the guidelines we have, in this article, analysed on how these new guidelines could affect your business.


Summary of the guidelines
Article 33 and 34 of the GDPR requires that a personal data breach is reported to the competent national supervisory authority (SA) and, in some cases, is communicated to the data subjects whose personal data have been affected by the breach. The current general guidance on data breach notification from October 2017 (Guidelines on Personal data breach notification under Regulation 2016/679, WP 250), does not provide much practical insight into how these notifications are to be executed in practise. The purpose of the European Data Protection Board (EDPB) draft guidelines is to provide a practice-oriented, case-based guidance to compliment the WP 250 and help data controllers decide on the correct measures to be taken before, during and after a data breach incident occurs.

The guidelines basically divide data breaches into six different categories. These categories are ransomware, data exfiltration attacks, internal human risk, lost or stolen device and paper documents, misposted data, and social engineering attacks. Through the use of 18 fictional case studies the guidelines provide recommendations for how to deal with each of the above-mentioned types of breach. Given the fact that the guidelines reflect the common experiences of the SAs of the EEA, the practical tips provide an insight into some of the minimum requirements SAs believes controllers should take in the describedcases. As such, any minimum demands that can be interpreted from the guidelines provides practical guidance for controllers that process personal data.

The guidelines provide hands on examples on what can be done before, during and after certain types of data breaches, and properly studied, the presented cases can be used as a blueprint for organisations when writing their internal response plans and manuals. Furthermore, the guidelines put a lot of focus on the before stage and the necessity for controllers to assess and properly plan to prevent incidents from occurring. Any data breach includes the risk that individuals could fall victim to physical, material or non-material damage. Accordingly, the Guidelines state that one of the most important obligations of the data controller is to evaluate the risks the processing could pose to the rights and freedoms of the data subjects. After this is done it is easier to assess and implement the appropriate technical and organizational measures needed to address those risks. Financial and health data for example, require a higher security standard such as having a security operation’s centre and other incident prevention, detection, and response measures according to the guidelines.

The examples and tips that are expressed in the guidelines are relatively easy to understand in practise and provide hands-on guidance for data controllers e.g. to have an incident response plan, a manual on best practises for the corporation, updated IT-systems and security standards appropriate to the kind of personal data being processed by the controller (such as updated firmware, operating systems, servers and encryption). Generally, the guidelines can be summarised into the phrase: more is always better, and procedures put in place today is always better than yesterday. Certain types of data breaches (such as ransomware attacks) can according to the guidelines indicate that security holes exist that needs to be filled in the aftermath of a breach.

The guidelines provide practical examples on measures to be taken and put in place in certain situations. Even though these examples do give some guidance on certain minimum requirements, a lot of the examples of measures to be taken are specifically expressed to neither be intended to be exclusive nor comprehensive. It is up to each controller to fill the legal vacuum in practise and decide and evaluate what measures needs to be taken concerning their particular data processing. Furthermore, even though the guidelines reflect the common experiences of the SAs of the EEA they are not jurisprudence and it is possible that further measures could prove necessary in certain situations. Essentially this means that, as always, there is still a risk that a data controller, despite having followed the recommendations for a particular data breach category, can be deemed to not have taken enough measures to ensure that the personal data being processed has had sufficient protection once a breach is investigated by a SA. As such the recommendations, while good and a welcome addition to the EDPB’s collection of guidelines, should not be counted on alone to ensure compliance. Organisations seeking to have proper protection in order to protect its data subject and comply with the GDPR are therefore still advised to consult with proper legal expertise in order to ensure that their particular data processing is compliant with their GDPR obligations and avoid the possibility of administrative fines or other sanctions.

Conclusion for Controllers moving forward
The Guidelines, despite the limitations mentioned above, are still a blueprint for organisations and their in-house legal departments to use when formulating internal procedures and documents to prepare for and handle data breaches. It is also good that the guidelines emphasise the importance of the before stage as it is almost always better from a cost, public relations and legal perspective for controllers to work preventively against data breaches rather than be reactive. Given the fact that the recommendations are the aggregated opinions of all the SAs of the EEA they can be counted onto hold some value should an organisation come under a SAs inspection. Therefore, it is recommended for organisations to assess their exposure to the types of data breaches listed in the guidelines and compare their preventative measures with those proposed by the EDPB. However, it should be noted, as previously stated, that the examples on preventive and mitigating measures to be taken in each data breach case are not intended to be neither exclusive nor comprehensive and more or fever measures may be needed in a particular case. Followingly, we recommend organisations consult with proper legal expertise in order to determine what measures are necessary in their particular case.

Norelid Law Firm has extensive experience in dealing with all stages of data breaches. We always make sure that the solution to your case is tailored to your specific organisation and business and are attentive to you challenges and possibilities. Feel free to contact us if you have any questions concerning the draft guidelines or if you need our assistance as it relates to your data processing.

Read the complete guidelines here:


The above information published by Norelid Advokatbyrå and/or its employees is only to be considered general information and does not constitute, nor should it be used as, professional legal advice. There is a risk that the information is not complete or not entirely updated. Any use of the information is at the risk of the user.