Pan-European personal data breaches: Mapping of current practices and recommendations to facilitate cooperation among Data Protection Authorities

Abstract

The emergence of frequent personal data breaches of a cross-border and even pan-European dimension coupled with the current lack of harmonized and systematic approaches to tackle them have motivated the need for further research leading to possible improvement of those cooperation challenges. In this respect, we report here on the organization, execution and analysis of the 1st Pan-European Personal Data Breaches Exercise that was conducted at the end of 2015 by the Directorate-General Joint Research Centre in collaboration with the Directorate-General for Justice and Consumers of the European Commission and the Data Protection Authorities of seven EU Member States. This cyber-exercise aimed at promoting and improving collaboration between Member States when cross-border incidents of personal data breaches occur, by serving as training exercise, mapping existing procedures and by helping identify best practices to handle such incidents. This scientific initiative constitutes a direct support of the recently adopted General Data Protection Regulation. Analysis of results led to some very interesting findings. In particular, communication issues were the ones that were highlighted as the most important ones. There is an evident lack of a global communication list of competent officers from Data Protection Authorities and this hinders cooperation. Moreover, there are no established current practices on handling such incidents and accordingly their management is still performed in an ad hoc manner. The outcome of the exercise illustrated the need for putting in place systematic procedures, as well as tools and frameworks to support communication and interaction between all interested stakeholders.