Written by 1 February 2021 11:52 EDPB, Media, News from the market

What a company should do in the event of a data breach

cybersecurity

by Vincenzo Tiani

On 14 January 2021, the European Data Protection Board (Edpb) published its guidelines to help companies and professionals in the event of a data breach. Open for feedback until 2 March, this document includes more practical examples than the previous one published in 2017 and takes into account the evolution of cyber attacks in recent years.

A data breach, let us remember, can involve a ‘breach of confidentiality’ – when there is an unauthorised or accidental disclosure of, or access to, personal data; a ‘breach of integrity’ – when there is an unauthorised or accidental alteration of personal data; a ‘breach of availability’ – when there is an accidental or unauthorised loss of access to or destruction of personal data. Damage can range from the mere disclosure of one’s e-mail to phishing, account withdrawals, and disclosure of confidential information.

Depending on the seriousness of the data breach, which may be the result of a targeted attack or may be entirely accidental, the General Data Protection Regulation, the GDPR, provides for three cumulative possibilities (Articles 33 and 34): internal documentation of the incident, communication to the Supervisor if there is a risk for the rights and freedoms of the data subjects, and communication to the data subjects if this risk is considered high. The communication, which must be made within 72 hours from the time when it becomes known, must describe the nature of the breach, indicating the type of data concerned (e.g. if it is special categories of data), the number, the circumstances, the likely consequences of the breach and the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible negative effects.

Since such an assessment is not easy to make and has to take into account several factors, the EDPB proposed eighteen examples in its guidelines, including typical cases such as ransomware, data exfiltration attacks, data loss due to human error, loss or theft of data on devices and paper documents, and social engineering.

Read the article on Wired Italia (in Italian).

Related Posts

IAPP 22 giugno 2021

Media

22 June 2021

IAPP Rome Chapter with Ignacio Gomez Navarro (EDPB)

Ignacio Gomez Navarro of the EDPB presented the additional measures to SCCs for transfers of personal data to third countries

Read More
IAPP 22 giugno 2021

Events

18 June 2021

IAPP Rome Chapter: The World After ‘Schrems II’ and the impact of supplementary measures and the new SCCs

? 22 June 2021, h. 15.00

Read More

Media

5 June 2021

Three years of GDPR, how it has changed our lives: a lot but still not enough

The impact of GDPR on companies, PAs and professionals is undeniable. The market is responding with growing enthusiasm.

Read More
wired_post

Media, News from the market

26 November 2020

The rules for data transfers outside the European Union

Vincenzo Tiani on the EDPB recommendations for data transfers to third countries in the post-Schrems II era

Read More

Comments are closed.

Close
Categories
Archives