A simulation called the ‘PATRICIA Test 2025’ was conducted by the European Data Protection Supervisor (EDPS). In their report, the EDPS noted that while many respondents have documented procedures, staff members lack real-life experience and confidence in applying them. This deficit could lead to significant GDPR breaches and erode European citizens’ confidence in the European Union.
The PATRICIA Test 2025 simulated a sophisticated breach scenario for several EU institutions
Participants assumed that cyber attackers gained unauthorized access to personal data and other sensitive data stored in a cloud environment.
Participants were to notify EDPS of the steps taken and of the breach. They were to identify the breach, assess the impact of the breach, notify the EDPS in the 72-hour window, and mitigate the potential loss of data.
In practice, there were serious delays. In a report by EDPS, in some teams there was no top-down coordination, with some employees uncertain how to handle communication and escalation of the breach to the EDPS or the breach of personal data to the individuals affected by the breach.
Key Findings: Awareness vs. Action
The EDPS has pointed out loss of:
- Lack of Adequate Training: While many of the staff understood the theories, much of the hands-on training was missing, especially when it came to dealing with an incident in real time.
- Siloed Communications: There was a lack of coordination in real time across IT, legal, and the data protection officers, which delayed decisions.
- Lack of Understanding Breach Impact: A number of groups did not, in their estimation, understate the depth and impact of the breach and therefore risked not having an adequate plan in place for mitigation and reporting.
These further reiterate findings from previous EDPS Awareness Campaigns, which, through a number of case studies, emphasized that compliance is not just a paper exercise.
The potential for personal data breaches to cause real harm is vast
Identity theft, financial fraud, and loss of reputation for individuals and for organizations can, and have been, real issues. Under the GDPR, organizations have a framework that requires them to report breaches as they happen, and to do what they can to lessen the impact of harm that can happen.
The more breaches that happen without mitigations in place, the greater the loss of trust citizens have in governance in the EU.
The EDPS has emphasized that there is no room for complacency with cyber breach crimes becoming more sophisticated. As stated in the report:
“Preparedness is not optional – it is a legal and ethical obligation.”
These statements challenge EU bodies not to stop at mere compliance, but to have a much more sophisticated governance culture.
What can the European Data Protection Supervisor do?
Gaps were identified, and the EDPS needs to take action, but how?
- Regular Simulation Exercises โ Conducting drills at least on a yearly basis to reinforce practical skills and to identify weaknesses.
- Enhanced Cross-Departmental Coordination โ Creating and reinforcing command chains between IT, legal, and data protection.
- Targeted Training Programs โ Scenario-based breach impact assessment and under-pressure decision-making training.
- Investment in Incident Response Tools โ Reduce human error by implementing real-time breach detection and reporting.
The EU digital transformation will deepen trust and accountability in personal data protection.
The EDPS will complete the PATRICIA exercise model for all Institutions of the EU to incorporate other policy guidance and will continue to complete other policy initiatives. Awareness initiatives will continue to be completed to highlight the need for timely and transparent breach management and reporting. If complete and coordinated structured training is not provided, policies will be ineffective. It is a wake-up call to the implementation of effective training and structured coordination.
