Over the last years, an increasing number of personal data breaches has been reported, especially relating to online systems and services. Such breaches can lead (and have led) to serious impact on the affected individuals’ private lives, including humiliation, discrimination, financial loss, physical or psychological damage or even threat to life.
It is, thus, of critical importance that the data controllers and processors have all the necessary mechanisms in place both for preventing data breaches, as well as for encountering them on time and in an appropriate way.
With the aim to increase the level of data security in Europe, Directive 2002/58/EC (ePrivacy Directive) introduced in its latest amendment an obligation for the notification of personal data breaches by the providers of publicly available electronic communication services to competent authorities and affected individuals. The General Data Protection Regulation (GDPR), which will soon come into force, extends this obligation to all data controllers and processors in all sectors.
ENISA has put considerable effort in the area of personal data breaches by issuing Proposals for the Technical implementation of Data Breach Notification in the context of the ePrivacy directive, as well as by developing a Methodology for the Assessment of the Severity Level of Personal Data Breaches.
Moreover, in co-operation with the German DPA, ENISA developed A tool for the online notification of personal data breaches by data controllers to Data Protection Authorities (DPAs), which is available for use to any interested DPA.