Since the GDPR came into force, there's been a surge in data breach reporting across the UK and EU. But with only around 500 fines imposed so far for over 280,000 breach reports, many of the breaches were likely reported to Supervisory Authorities unnecessarily.
The EDPB's new example-based guidelines provide a helpful benchmark for controllers who are weighing up whether or not to notify their Supervisory Authority, focusing on common scenarios such as ransomware attacks, human error and lost/stolen devices.
Perhaps the most important take-away for data controllers is the need to internally document all breaches, whether they are notifiable or not - although often overlooked (or de-prioritised and then forgotten!), this is a mandatory obligation and failure to do so has been known to contribute to enforcement proceedings being brought.