This case review looks at a selection of one-stop-shop decisions which relate to security of processing and data breach notification/communication.
This review is interesting in that it shows how the Data Protection Authorities (DPAs) have approached matters such as what technical and organisational measures are appropriate to ensure a level of security appropriate to risk.
Whilst some of the decisions turned on the facts of the particular case, there were also general takeaways. For example, several DPAs examined the establishment of proper access control mechanisms involving individual authentication of persons who are allowed to access specific sets of data. The lack of such clear access control mechanisms led various DPAs to find violations of Article 32 GDPR.
The report also revealed a cautious approach to notification of breaches, with organisations often deciding to notify “just in case”.
The full digest can be found here.