EU institutions, bodies, offices and agencies (EUIs) are legally obliged to notify the EDPS when they experience personal data breaches, or whenever a security incident involving personal data poses a risk to the rights and freedoms of an individual. Since 2018, when Regulation (EU) 2018/1725, so called EUDPR, came into force, the EDPS has received and assessed more than 450 personal data breach notifications. 

In an environment where the number of cybersecurity incidents in the EU is on the rise, and greatly affect the processing of personal data, it is paramount to raise EUIs’ awareness on how to manage personal data breaches. The aim of our initiative is to gain an insight into how EUIs handle personal data breaches. The goal of this campaign is two-fold: to allow the EDPS to enhance its supervisory and advisory role, and to raise EUIs’ awareness on handling personal data breaches. 

The awareness campaign will start during 2024 and it is divided in three phases: 

  1. Survey  for EUIs - We will contact a group of EUIs to answer specific questions on the topic of personal data breaches and provide evidence on how they handle security incidents involving personal data (e.g., data breach management procedure). The feedback will be used to evaluate their level of preparedness for the management of personal data breaches. 
  2. Bilateral Meetings - We will organise bilateral meetings with the data protection officers of the selected EUIs to exchange views on the survey findings. The aim is to give each EUI practical tips and tailored advice to improve their internal personal data breach management procedures, including a plan on how to raise their staff’s awareness.
  3. Summary of key findings - We will release a general summary of the outcome of this awareness-raising campaign in 2024. This exercise will be the stepping-stone to a future EDPS Bulletin dedicated on personal data breaches.