Under the GDPR’s breach notification rules, it’s essential to be able to quickly assess the level of risk that a security breach presents to individual data subjects. Any breach that is likely to result in a risk to the rights and freedoms of natural persons must be reported to the relevant data protection authority, with at least initial notification within 72 hours. Where the risk is high, affected individuals must also be notified. Where there is unlikely to be a risk, only internal documentation is required. The Article 29 Working Party published general guidance on breach notification in 2017, which was subsequently adopted by the European Data Protection Board. However the EDPB has now published a supplement, specifically on the question of assessing risk.
This takes the very helpful approach of looking at clusters of similar breaches, and explaining the factors and differences that may lead to different risk assessments. Clusters cover ransomware, data exfiltration, internal human risk (both deliberate and accidental), lost/stolen devices/documents, postal errors; finishing with a couple of examples of social engineering. In many cases the guidance suggests appropriate mitigation measures, as well as what notifications are required.
This guidance should be helpful in reducing the amount of thinking required in the immediate stressful aftermath of detecting a security breach. Check if your incident matches one of these patterns and follow the relevant instructions for initial notification (Note that the earlier guidance explicitly allows update notifications, whether to provide more information, revise the risk assessment, or even declare a false alarm).
Even better if you can use it to review your systems and datasets before any breach occurs, when you can take time to assess the likely risk that would be created by a future confidentiality, integrity or availability breach. With that kind of specific preparation, a quick check of whether the actual breach was significantly different to the anticipated one should be all you need before initiating the relevant notification and response processes.
