The guidelines should be revised to fully reflect the risk-based approach to data breaches enshrined in the General Data Protection Regulation (GDPR). If not, it could create an unwanted administrative burden for both data controllers and supervisory authorities that would potentially shift the focus of both parties away from more severe breaches and other important matters that relate to data protection.

For example, in one of the cases provided that explicitly mentions the insurance industry, the EDPB has drawn wrongful conclusions about the risks generally associated with an accidental disclosure of insurance documents. In this case, where a letter is sent to the wrong policyholder, the EDPB suggests that, if a misuse cannot be completely ruled out, the controller must always communicate with the data subject, even if the data is not sensitive and the risk of misuse is extremely low. This would not be in line with the risk-based approach established by the GDPR.

In general, when a personal data breach affects a very small number of data subjects, encompasses a limited number of non-sensitive categories of personal data and when there are no seemingly aggravating circumstances that suggest that the breach will result in a notable risk for the affected individuals, such breach should be considered and treated as low risk by businesses.

response