The GDPR’s Rules on Data Breaches: Analysing Their Rationales and Effects

  • Frederik Zuiderveen Borgesius
  • Hadi Asghari
  • Noël Bangma
  • Jaap-Henk Hoepman
Keywords: General Data Protection Regulation, cybersecurity, data breaches, security economics, personal data, data breach notification obligation


The General Data Protection Regulation (GDPR) requires an organisation that suffers a data breach to notify the competent Data Protection Authority. The organisation must also inform the relevant individuals, when a data breach threatens their rights and freedoms. This paper focuses on the following question: given the goals of the GDPR’s data breach notification obligation, what are its strengths and weaknesses? We identify six goals of, or rationales for, the GDPR`s data breach notification obligation, and we assess the obligation in the light of those goals. We refer to insights from information security and economics, and present them in a reader-friendly way for lawyers. Our main conclusion is that the GDPR’s data breach rules are likely to contribute to the goals. For instance, the data breach notification obligation can nudge organisations towards better security; such an obligation enables regulators to perform their duties; and such an obligation improves transparency and accountability. However, the paper also warns that we should not have unrealistic expectations of the possibilities for people to protect their interests after a data breach notice. Likewise, we should not have high expectations of people switching to other service providers after receiving a data breach notification. Lastly, the paper calls for Data Protection Authorities to publish more information about reported data breaches. Such information can help to analyse security threats.

Author Biographies

Frederik Zuiderveen Borgesius

Prof. dr. Frederik Zuiderveen Borgesius, prof. ICT and law, iHub, the interdisciplinary research hub on digitalization and society, Radboud University, Nijmegen, The Netherlands. Frederik has received funding from the European Union's Horizon Europe research and innovation program under grant agreement No 101070212, for the FINDHR project.

Hadi Asghari

Dr. Hadi Asghari, senior researcher at the Alexander von Humboldt Institute for Internet and Society, Berlin, Germany

Noël Bangma

Research Intern at iHub

Jaap-Henk Hoepman

Prof. dr. Jaap-Henk Hoepman, Radboud University, University of Groningen and Karlstad University