On 18 January 2024, the European Data Protection Board (EDPB) published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification (the Case Digest). The Case Digest looks at a selection of decisions on security of processing and personal data breach notifications taken from the EDPB's public register. It is based on a review of 90 decisions made between January 2019 and June 2023, covering Articles 32, 33, and 34 of the GDPR.
The Case Digest constitutes valuable guidance for organisations when assessing the adequacy of their security measures, both prior to and after a data breach. These decisions, issued through close cooperation among data protection authorities (DPAs), offer insights into how GDPR provisions are applied in various scenarios, such as hacking or accidental data disclosure. The Case Digest focusses on the following three key categories of data breaches, offering practical guidance for compliance:
- Personal data breaches resulting from malicious attacks by external entities
- Personal data breaches attributed to insufficient practices and systems of organisations
- Personal data breaches caused by human error
A separate section addresses issues related to passwords, that spanned across all three categories of personal data breaches.
This Case Digest highlights the importance of ongoing vigilance and adaptation in the face of evolving cybersecurity threats. By examining a range of security incidents and data breach scenarios, the Case Digest helps to establish a common understanding and approach among DPAs. This consistency is vital for organisations operating across multiple jurisdictions, as it provides clarity on compliance expectations and helps to streamline reporting processes in the event of a breach.
The EDPB's One-Stop-Shop Case Digest can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
