Who You Gonna Call When There’s Something Wrong in Your Processing? Risk Assessment and Data Breach Notifications in Practice

  • Susan Gonscherowski
  • Felix BiekerEmail author
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 547)


With the assessment of the risk to the rights and freedoms of natural persons the GDPR introduces a novel concept. In a workshop participants were introduced to the notion of risk, based on the framework of the German data protection authorities, focusing on personal data breach notifications. This risk framework was then used by participants to assess case studies on data breaches. Taking the perspective of either a controller or a data protection authority, participants discussed the risks, the information provided and the necessary steps required by the GDPR after a data breach.


Data breach Notification Supervisory authority DPA Risk to rights and freedoms Risk assessment General Data Protection Regulation Data protection Privacy 



This work is partially funded by the German Federal Ministry of Education and Research through the project ‘Forum Privacy and Self-determined Life in the Digital World’, and the project EIDI (efficient notification after digital identity fraud),


  1. 1.
    Khaira, R.: Rs 500, 10 minutes, and you have access to billion Aadhaar details. The Tribune, 4 January 2018.
  2. 2.
    Barret, D., Yadron, D., Paletta, D.: U.S. Suspects Hackers in China Breached About 4 Million People’s Records, Officials Say. Wall Street Journal, 5 June 2015.
  3. 3.
    Donelly, L.: Security breach fears over 26 million NHS patients. The Telegraph, 17 March 2017.
  4. 4.
    Swedish authority handed over ‘keys to the Kingdom’ in IT security slip-up. The Local, 17 July 2017.
  5. 5.
    Goel, V., Perlroth, N.: Yahoo Says 1 Billion User Accounts Were Hacked. New York Times, 14 December 2017.
  6. 6.
    Haselton, T.: Credit reporting firm Equifax says data breach could potentially affect 143 million US consumers. CNBC, 7 September 2017.
  7. 7.
    Cadwalladr, C., Graham-Harrison, E.: Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. The Guardian, 17 March 2018.
  8. 8.
    Ghorayshi, A., Ray, S.: Grindr Is Letting Other Companies See User HIV Status And Location Data. BuzzFeedNews, 2 April 2018.
  9. 9.
  10. 10.
    ECJ, Judgment of 9 November 2010, Volker und Markus Schecke und Eifert, C-92/09 and C-93/09, ECLI:EU:C:2010:662, paras. 60–63Google Scholar
  11. 11.
    Bieker, F.: Die Risikoanalyse nach dem neuen EU-Datenschutzrecht und dem Standard-Datenschutzmodell. Datenschutz und Datensicherheit (DuD) 42, 27–31 (2018)CrossRefGoogle Scholar
  12. 12.
    Bieker, F., Bremert, B., Hansen, M.: Die Risikobeurteilung nach der DSGVO. Datenschutz und Datensicherheit (DuD) 42, 492–496 (2018)CrossRefGoogle Scholar
  13. 13.
  14. 14.
    Article 29 Working Party, Guidelines on Personal data breach notification under Regulation 2016/679 of 3 October 2017, WP250rev.01.
  15. 15.
  16. 16.
    Henseler-Unger, I., Hillebrand, A.: Aktuelle Lage der IT-Sicherheit in KMU, Datenschutz und Datensicherheit (DuD) (2018)CrossRefGoogle Scholar
  17. 17.
    Malderle, T., Wübbeling, M., Knauer, S., Sykosch, A., Meier, M.: Gathering and analysing identity leaks for a proactive warning of affected users. In: Proceedings of the ACM International Conference on Computing Frontiers (CF 2016). ACM, New York (2018).
  18. 18.
  19. 19.
    Blinder, A., Perlroth, N.: A Cyberattack Hobbles Atlanta, and Security Experts Shudder. New York Times, 27 March 2018.

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.Unabhängiges Landeszentrum für Datenschutz (ULD, Independent Centre for Data and Privacy Protection) Schleswig-HolsteinKielGermany

Personalised recommendations