The 2019 Global Privacy Enforcement Network (GPEN) Sweep considered how organisations in various jurisdictions handle and respond to data breaches. Given the mass of information that is collected and held by organisations, it is inevitable that at certain times personal information will be accessed, disclosed, or otherwise acquired in a way which is not authorised. How an agency responds to a data breach incident (including both notification as a response and steps taken to prevent future breaches) is of key importance to data protection authorities (DPAs) and the individuals whose personal information is affected.
Of the 1145 organisations contacted as part of this year’s Sweep exercise, only 21% provided substantive responses (258). The low response rate from organisations asked to participate could indicate concerns from organisations about potential follow up enforcement actions and could indicate that a large number of organisations do not consider themselves compliant with breach reporting obligations in their jurisdictions or are otherwise not keeping adequate records of privacy breaches.