Blue Paper on Data Protection - A Data Breach Accountability Framework

Guido Reinke is a Data Protection Officer with a business assurance, legal and regulatory compliance background. He has advised firms on how to design and implement global privacy frameworks. After working for the European Commission, he took employment with regulated industries and at Big Four professional services firms. He holds a LL.M. from Queen Mary University Law School and a PhD in Politics and International Relations from the University of London, and has lectured on Regulatory Governance at the London School of Economics. He is author of a book on data transfer between the EU and third countries, and of several other publications on regulatory compliance.

FOREWORD
ACKNOWLEDGEMENTS
TABLE OF CONTENTS
LIST OF ACRONYMS
LIST OF FIGURES
EXECUTIVE SUMMARY
PART I: OVERVIEW OF THE BLUE PAPER; THE LEGAL POSITION ON DATA SECURITY AND BREACHES
1. INTRODUCTION
1.1 Key objectives, assumptions and value for data controllers
1.2 Scope of this Blue Paper
1.3 Structure of this Blue Paper
1.4 Methodology applied and resources used
2. THE LEGAL POSITION OF THE GDPR ON DATA SECURITY AND DATA BREACHES
2.1 Why data breaches occupy a unique position
2.2 The integrity and confidentiality principle (Article 5(1)(f))
2.3 The legal definition of security of processing (Article 32) and DPIAs (Article 35)
2.4 Safeguarding the rights of data subjects through PbD&D (Article 25)
2.5 The relevance of data breach notifications (Articles 33 and 34)
2.6 Cooperation and prior consultation with the DPSA (Articles 31 and 36)
2.7 The concept of “demonstrating” compliance with the Regulation
2.8 Demonstrating risk prevention and damage mitigation
3.9 Conclusions of the legal review
PART II: INSIGHTS FROM REGULATORS AND DATA PROTECTION PRACTITIONERS
3. THE EMPIRICAL DATA: ANALYSIS OF DATA BREACHES
3.1 Sanctions by national DPSAs
3.2 Sanctions for data breaches vs. other GDPR provisions that carry liability
3.3 The consistency of enforcement across the EEA
3.4 GDPR sanctions by DPSAs (Sanctions Directory)
3.5 Case studies: Lessons to be learned for after the data breach
3.5.1 Case One: DoorsLetep Dispensaree Ltd.
3.5.2 Case Two: Cathay Pacific Airways Ltd.
3.5.3 Case Three: WM Morrison Supermarkets plc
3.5.4 Case Four: British Airways
3.5.5 Case Five: Marriott International
4. HOW CAN ORGANISATIONS PROTECT THEMSELVES FROM DATA BREACH SANCTIONS?
4.1 Insights obtained by survey respondents who are professionals in the data protection field
4.1.1 Governance and policy
4.1.2 Processes and procedures
4.1.3 Technology
4.1.4 DPSA response to data breaches
4.2 Insights obtained from authors’ participant observation of privacy events
4.2.1 Governance and policy
4.2.2 Processes and procedures
4.2.3 Technology
4.3 Implement appropriate technical and organisational security measures
4.4 Demonstrate compliance: Independent assurance and approved certifications
4.5 Synthesis for practitioners
PART III: A NEW COMPLIANCE MODEL: THE DATA BREACH ACCOUNTABILITY FRAMEWORK
5. CONCLUSIONS: HOW ORGANISATIONS CAN IMPROVE THEIR COMPLIANCE MATURITY
5.1 DPR enforcement by national DPSAs and oversight at European level
5.2 Building a legally defensible compliance position: The Data Breach Accountability
BIBLIOGRAPHY
TOOLKITS – Resources for Professionals
Toolkit 1: Tables analysing the results of the data breach survey
Toolkit 2: Survey questionnaire
Toolkit 3: Tables and diagrams analysing the results of the GDPR enforcement and sanctions review
Toolkit 4: GDPR Sanctions Directory
Toolkit 5: Inventory of European Data Protection bodies
Toolkit 6: Inventory of EEA national Data Protection Supervisory Authorities (DPSAs)