Recommendations for a methodology of the assessment of severity of personal data breaches

European Union Agency for Network and Information Security (ENISA) reviewed the existing measures and the procedures in EU Member States with regard to personal data breaches and published in 2011 a study on the technical implementation of the Art. 4 of the ePrivacy Directive, which included recommendations on how to plan and prepare for data breaches, how to detect and assess them, how to notify individuals and competent authorities and how to respond to data breaches. A proposal of a methodology for personal data breach severity assessment was also included as an annex to the above-mentioned recommendations, which was, however, not considered mature enough to be used at national level by the different Data Protection Authorities. Against this background, the Data Protection Authorities of Greece and Germany in collaboration with ENISA developed, based on the above mentioned work, an updated methodology for data breach severity assessment that could be used both by DPAs as well as data controllers. This working document is a first result of the co-operation between experts of the two DPAs and ENISA. It is planned to further develop the methodology with the aim to generate a final practical tool for a data breach severity assessment. An overview of the proposed methodology is presented in section 2 of this paper, and further elaborated in subsequent sections. Severity of a breach is defined as the estimation of the magnitude of potential impact on the individuals derived from the data breach. The core elements that have to be taken into account when assessing this severity are: - Data processing context - type of breached data adjusted to the context in which they are used - Ease of identification of the individual based on the data breached - Circumstances of the breach, having additional influence on the severity of a breach