The European Data Protection Board ("EDPB") has released guidelines on 'Examples regarding Data Breach Notifications' for public consultation. The new guidelines complement rather than replace the Article 29 Working Party Guidelines on Personal Data Breach Notifications and include practice-orientated guidance on 18 fictitious case studies. 

While the cases are fictitious they are based on typical cases that EU Supervisory Authorities ("SAs") deal with and reflect the collective experience of those SAs on breach notifications since the introduction of the GDPR. 

The case studies are split into the following categories: 

  • Ransomware
  • Exfiltration Attacks
  • Internal Human Error 
  • Lost or Stolen Devices and Documents 
  • Postal Errors
  • Other cases 

The EDPB examples include highly topical areas such the availability of back-ups, use of hashed passwords, issues with former employees and social engineering by hackers.

Prevention is always better than cure and as several consequences of breaches are by their nature irreversible, controllers may find these examples to be a good reference point for assessing internal procedures and identifying current vulnerabilities. 

The public consultation is open until 2 March 2021.