Attacks frequently causing data breaches - organizational and technical measures for preventing / mitigating the impacts

Intro

The purpose of this material is to explain and analyze in a structured way the different practical examples of personal data breaches provided in the Guidelines 01/2021 of the European Data Protection Board. These cases are presented according to the categories of attacks causing the data breaches with the use of common elements to enable comparability such as: business involved, case description, categories of affected data and affected data subjects, risk assessment, mitigation measures and obligations as well as actions necessary based on the identified risks. Also, the organizational and technical measures for preventing or mitigating the impacts of attacks are presented grouped by the category of the attack. This material aims to assist SMEs in assessing and responding to their own data breaches.
At the end of the study, the reader is expected to:

  • Understand how to assess the data breach and what elements to consider during risk assessment.

  • Understand how to decide whether or not to notify the data breach to the competent supervisory authority and communicate it to the affected individuals.

  • Understand how to document the data breach and what elements to establish.

  • Be able to identify and distinguish all the appropriate mitigating measures to be taken in case of the different categories of data breaches.

Key Messages

  • Prevent data breaches by preparing in advance.

  • Establish an incident response plan and use it in practice for handling eventual data breaches.

  • Prepare to correctly recognize a personal data breach.

  • Notify the personal data breach on time.

  • Communicate the data breach to the data subjects without undue delay.

  • Prepare a response team for managing data breaches and make available the contact details of the team members.

  • Update the incident response plan and the technical and organizational security measures based on the outcome of the data breach.

  • Prepare template documents for notification to the authority and communication to data subjects.

See relevant slides

General References

  1. Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, EDPB