Sovy
  • Products
    • Data Privacy Essentials℠
    • Consent Management Platform
    • Whistleblowing Portal
    • DPO Services
    • EU/UK Representative Services
    • Compliance Spot Check
    • Managed IT Services
    • All Products
    • Free GDPR Scan
    • Free GDPR Readiness Survey
  • eLearning Solutions
    • Corporate eLearning
    • Sovy Academy℠
      • Introduction to GDPR
      • Introduction to GDPR for Recruitment
      • GDPR for Privacy Managers
      • GDPR for IT Professionals
      • Introduction to Cybersecurity
  • Resources
    • Free GDPR Scan
    • Free GDPR Readiness Survey
    • Knowledge Portal
    • Data Privacy Blog
  • Pricing
    • Data Privacy Essentials
    • myConsentChoice CMP
  • About Sovy
    • Mission
    • Team
    • Investor Relations
    • Partnerships
  • Contact Us
  • Products
    • Data Privacy Essentials℠
    • Consent Management Platform
    • Whistleblowing Portal
    • DPO Services
    • EU/UK Representative Services
    • Compliance Spot Check
    • Managed IT Services
    • All Products
    • Free GDPR Scan
    • Free GDPR Readiness Survey
  • eLearning Solutions
    • Corporate eLearning
    • Sovy Academy℠
      • Introduction to GDPR
      • Introduction to GDPR for Recruitment
      • GDPR for Privacy Managers
      • GDPR for IT Professionals
      • Introduction to Cybersecurity
  • Resources
    • Free GDPR Scan
    • Free GDPR Readiness Survey
    • Knowledge Portal
    • Data Privacy Blog
  • Pricing
    • Data Privacy Essentials
    • myConsentChoice CMP
  • About Sovy
    • Mission
    • Team
    • Investor Relations
    • Partnerships
  • Contact Us

Data Privacy Blog

May 13, 2021  |  By Camelia Nastasi

EDPB launches guidelines on Examples of Data Breach notifications

data breach notification

The EDPB (European Data Protection Board) has published a guide that seeks to clarify the most common situations in which breaches can occur. Also, the guide underlines the importance of sending a data breach notification to the empowered authorities.

However, the examples contained in it are relevant even now, especially since they are based on real situations that led to data breaches.

''As part of any attempt to address a breach the controller should first be able to recognize one''. The GDPR defines a “personal data breach” in Article 4(12) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Ransomware

Therefore, the EDPB starts the list of the most frequent cases in data breaches with the ransomware.

In most cases a ransom attack suffered by the data controller involves the encryption of personal data through a malicious code and in exchange for decryption the attacker requests a ransom.

The EDPB classifies ransomware into the following: with proper backup and without exfiltration, with backup and without exfiltration in a hospital or without backup and with exfiltration.

Data exfiltration attacks

These attacks target the services offered by the controller to third parties via internet. These typically aim at copying, exfiltrating and abusing personal data for malicious activities.

However, if the controller is aware of these data breaches, it can significantly reduce the risk of such an attack.

Similarly, the EDPB provides with concrete examples of types of data exfiltration attacks classified as follows: exfiltration of job application data from a website, exfiltration of hashed password from a website or credential stuffing attack on a banking website.

Internal human risk source

Human errors are hard to prevent. It is recommended that the data controllers analyse the vulnerabilities and take the necessary measures to avoid them. In summary these areclassified by the EDPB as follows: exfiltration of business data by a former employee or accidental transmission of data to a trusted third party.

Lost or stolen devices and paper documents

A common type of data breaches occurs through stolen devices and paper documents. EDPB recommends that security measures should be taken prior to the breach. Recovering a lost device or document is much more difficult.

Again, the guide is providing different examples of data breaches through stolen materials: materials storing encrypted or non-encrypted personal data or paper files with sensitive data.

Mispostal

‘’ The risk source is an internal human error in this case as well, but here no malicious action led to the breach. It is the result of inattentiveness.’’ E.g.: snail mail mistake, sensitive personal data or personal data sent by mail by mistake.

Other cases-social engineering

◦ Identity theft

◦ Email exfiltration

Although the cases presented in this guide are fictitious, they are meant to help the data controllers to assess their data breaches.

In conclusion, the EDPB advice the readers to read all the cases relevant to the specific category of data breach. This will help to identify and distinguish all the correct measures to be taken. It is important to send a data breach notification if applicable, to avoid higher sanctions or damaging your brand reputation.

Need help?

Sovy can help you get compliant and stay compliant using our on-line tools, including:

  • Walk through a data mapping exercise and build your data inventory.
  • Build all the policies you need under the GDPR.
  • Train your employees with industry-standard eLearning courses.
  • Maintain your compliance program in the cloud
  • Manage cookie consent and data rights

We also offer advisory services in compliance, governance risk, adverse event and remediation.

Find out how the Sovy GDPR Privacy Essentials can help you or- Get in touch with us for more information.

Source: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202101_databreachnotificationexamples_v1_en.pdf

Last updated: May 13, 2021

Article by Camelia Nastasi

Previous StoryGDPR fines list of 2020
Next StoryGDPR Summary. How the World Changed after 3 Years of the GDPR

SEARCH

CATEGORIES

  • CCPA (1)
  • compliance (1)
  • consent management (2)
  • CPRA (2)
  • Cybersecurity (2)
  • Data Privacy Fines (2)
  • Data Protection Officer (2)
  • Data security and privacy (9)
  • elearning (1)
  • GDPR (22)
  • GDPR fines (8)
  • GDPR guidance (10)

TAG CLOUD

2020 cookie policy data privacy data protection fines GDPR tik tok

ARCHIVES

  • September 2024 (1)
  • July 2024 (1)
  • June 2024 (1)
  • April 2024 (1)
  • March 2024 (1)
  • October 2023 (1)
  • July 2023 (1)
  • June 2023 (2)
  • May 2023 (1)
  • April 2023 (2)
  • March 2023 (1)
  • February 2023 (1)
  • January 2023 (2)
  • December 2022 (1)
  • October 2022 (1)
  • September 2022 (1)
  • August 2022 (1)
  • July 2022 (1)
  • June 2022 (3)
  • May 2022 (2)
  • April 2022 (1)
  • March 2022 (1)
  • February 2022 (1)
  • January 2022 (2)
  • December 2021 (1)
  • November 2021 (1)
  • September 2021 (1)
  • August 2021 (1)
  • July 2021 (2)
  • June 2021 (2)
  • May 2021 (2)
  • January 2021 (1)

LATEST POSTS

  • Top 10 Benefits of Outsourcing Your Data Protection Officer
  • custom eLearning Development Services
    Custom eLearning Development Services: Everything You Need to Know for Success
  • compliance management system
    The Ultimate Guide to Compliance Management System
  • GDPR compliance checklist
    GDPR Compliance Checklist: Ensuring Data Protection
  • why is cybersecurity important?
    Why is cybersecurity important? How to Keep your company safe

QUICK LINKS

  • About Us
  • Resources
  • Privacy Policy
  • Terms
  • Manage Consent
  • Contact Us

Sovy GDPR Privacy Essentials

  • Subscription Benefits
  • Pricing
  • Log in
  • GDPR for Small Businesses
  • GDPR for Enterprises
  • GDPR for Sole Traders
  • GDPR for Charities

SOVY LOCATIONS

Ireland HQ

Registered Office
St Gall's House
St Gall Gardens South
Milltown, Dublin 14
D14 Y882
Ph: +353 (4)6 929-3537

London

Registered Office
Kemp House
152-160 City Road
London EC1V 2N

ASSOCIATIONS

Copyright © 2024 Sovy Trust Solutions Limited. All Rights Reserved. Registered in Ireland, No. 610835 and No. 605069