What to do following a data breach – New worked examples released by EDPB to help data controllers
What to do following a data breach – New worked examples released by EDPB to help data controllers
If you are trying to work out what to do following a personal data breach then the European Data Protection Board (EDPB) has published new guidance which should help, even if you’re based in the UK.
The EDPB has published new worked examples explaining what actions to take in various data breach scenarios. The hypothetical examples are based on the types of data breaches commonly seen by the EDPB. They include misaddressed emails, ransomware attacks and employees misusing personal data.
For each scenario, the guidance explains whether the matter needs to be:
- recorded internally;
- reported to the data protection regulator; and/or
- reported to the affected data subjects.
The EDPB’s guidance technically only applies to EU GDPR; it does not directly apply to UK data protection law post-Brexit. However, the UK Data Protection Regulator (the ICO) has previously indicated that the EDPB’s guidance can be helpful in understanding UK data protection law. Indeed, the wording of UK and EU data protection law remains very similar. The detailed examples in the latest EDPB guidance are likely to be helpful to an organisation assessing next steps after a data breach. You can also read the ICO’s guidance on personal data breaches.
If your organisation has suffered a data breach and you need urgent, plain-English help with knowing what to do, then please contact me or visit our Data Protection/GDPR page on our website for more information on the services we provide.