The use of increasingly advanced technology means that the ways in which data breaches occur are becoming more difficult to prevent and track. Influenced by the US model, a growing number of EU and European Economic Area (EEA) countries are developing rules on data breach notification. In Europe, “data breach” generally refers to instances where personal data has been subject to unauthorised access, collection, use or disclosure. Data breaches may be caused by inadvertent or deliberate actions that result in data being stolen, lost or disclosed, such as theft of storage devices, infiltration (hacking) of computer systems or inadequate data security practices. Notification of data breach serves different purposes: the main purpose of notifying public authorities is to enable them to exercise their regulatory oversight functions, such as identifying security problems and taking actions to address them. Notifying individuals aims at enabling them to mitigate the risk of harm caused by the breach. In addition, notification can serve to motivate organisations to implement more effective security measures to protect personal data.
In Europe, approaches to data breach notification vary. There are countries with statutory law and guidance on breach notification requirements across sectors. In other countries, neither specific rules nor guidance exist.
Please see full publication below for more information.