Skip to main content

Unit 4

GDPR case studies

Assignment

Read the Data Protection Commission (2020) Case Studies (see this week’s reading list). There are several case studies from 2014 – 2018 concerning GDPR related issues and breaches. Chose a case study (should be unique to each student) and answer the following questions:

  • What is the specific aspect of GDPR that your case study addresses?
  • How was it resolved?
  • If this was your organisation what steps would you take as an Information Security Manager to mitigate the issue?

This analysis will focus on the case 11 from the year 2016, “Disclosure of Personal Information to a Third Party”. The case study follows an incident where an human resources services provider disclosed personal information of a customer to third parties, as well as accessed the personal information of the customer’s spouse (Data Protection Commission, no date).

Should this case have been reviewed under GDPR, it would have been possible to conclude that the service provider (in its role as data controller) violated the principle of purpose limitation, where the data may only be used for a previously stated and agreed upon purpose, as per Article 5(1)(b) of GDPR. The information was also processed recklessly without ensuring proper security of it (Article 5(1)(f)). (‘Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)’, 2016).

After the Data Protection Commission contacted the service provider, actions were made to mitigate the data breach and remind employees about their obligation to process the personal data responsibly.

This case study highlights that technical controls alone cannot ensure that a regulation is followed: employees with access to data can still accidentally or intentionally violate the principles of data protection and thus make an organisation responsible for non-compliance. Employee education on the topics of data protection with focus on what data is protected and for what purposes it can be used is required to avoid incidents similar to the one described in the case study.

References

Data Protection Commission (no date) Case Studies Pre-GDPRCase Studies Pre-GDPR | Data Protection Commission. Available at: https://www.dataprotection.ie/pre-gdpr/case-studies (Accessed: 8 September 2025).

‘Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)’ (2016). Official Journal of the European Union. Available at: http://data.europa.eu/eli/reg/2016/679/oj (Accessed: 19 January 2025).