The EDPB explains that the Guidelines complement the WP29 Guidance on Data Breach Notification by introducing more practice-orientated guidance and recommendations. They aim to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.

The new Guidelines contain an inventory of data breach notification cases deemed most common by the national supervisory authorities (SAs), such as: ransomware attacks; data exfiltration attacks; and lost or stolen devices and paper documents. The Guidelines present the most typical good or bad practices in each category, advise on how risks should be identified and assessed, highlight the factors that should be given particular consideration, as well as inform the cases in which the controller should notify the SA and/or notify the data subjects.

The Guidelines will be submitted for public consultation for a period of six weeks. To read the EDPB’s press release in full and for a link to the Guidelines and consultation, click here.