Need to report a data breach? Brushing up your data breach policies? Have a read of some new EU guidance
New guidelines on reporting data breaches were published in draft form in January this year by the body in charge of data protection rules in the EU (the “EDPB”).
These new guidelines aren’t likely to apply to controllers who mainly process data about individuals in the UK, like pension scheme trustees. That’s because the UK’s data protection regulator (the “ICO”) isn’t part of the EDPB following Brexit. Since January, the ICO’s guidance has been the first port of call when interpreting the data protection law which now specifically applies in the UK.
However, since much of the UK’s data protection framework is essentially identical to the EU’s – at least for the time being – the guidelines give a helpful insight into how EU regulators are approaching the breach reporting requirements in practice.
The guidelines are easy to read, and more practical than the earlier EDPB guidance. Two key aspects which stood out to me were:
- the range of examples, some of which reminded me of clients’ breaches in recent years, and
- the measures which are recommended to avoid breaches in the first place.
Example scenarios
The scenarios in the guidelines cover a wide range of breaches. A couple which caught my eye based on recent client experience were (in broad terms):
- sending a spreadsheet of information by mistake to a “trusted third party”. In this scenario, the recipient (an insurance agent, who was bound by contractual obligations as a processor) proactively signalled the mistake to the controller. He also confirmed that he had deleted the file, which contained customer data about 24 individuals.
In this example, the EDPB is happy that no report is needed to the supervisory authority, or to data subjects. The rationale is that there was no risk to individuals, in particular because of the immediate detection of the risk and the steps taken to contain it.
- accidental posting of two insurance policy renewal letters to the wrong policyholder. In this scenario, “policyholder A” received “policyholder B’s” letter, and vice versa.
In this example, the EDPB notes that while most recipients of incorrectly posted letters will probably just dispose of the letter, in individual cases it can’t be completely ruled out that harm could be done – eg that the letter could be posted on a social network. The EDPB concludes that a report should be made to the supervisory authority.
Avoiding breaches in the first place
The guidelines include a thorough list of measures which can be taken to prevent the risk of a data breach, or reduce the impact if one occurs. These range from technical (IT security measures, and in particular encryption), organisational (implementing access controls) to managing human error through training.
There’s also a strong focus in the guidelines on maintaining a data breaches policy with appropriate reporting lines.
Looking forward
No “real life” data breach is likely to meet the exact fact pattern in the EDPB guidance. Sackers are experienced in helping clients assess data breaches which arise in practice.
As importantly, as we approach the third anniversary of the GDPR coming into force, trustees should consider whether a periodic review of their data protection compliance is due. The pandemic has launched new ways of working, and the EDPB’s breach prevention measures are more relevant than ever to reduce the risk of breaches occurring and protecting member data. Sackers can also offer data breaches training to trustees and in-house teams.