Lessons from the Iberian Blackout at IAPP: Resilience and Data Protection

Posted on by Soraya Garran

Participation as a panelist at IAPP on privacy and resilience

I participated as a panelist in the session “Iberian Blackout: Lessons on Critical Infrastructure Resilience and Data Protection” organized by the IAPP (International Association of Privacy Professionals). This event brought together leaders in data protection, cybersecurity and crisis management to analyze the recent Iberian blackout and its impact on privacy and the resilience of critical infrastructures.

As a privacy professional certified with FIP, CIPM, CIPT and CIPP/E, I offered a comprehensive perspective on personal data management, GDPR compliance and the importance of organizational resilience.

When does a blackout constitute a data breach under the GDPR? ⚠️

During the IAPP session, I discussed how a massive blackout can become a personal data breach under the GDPR, especially when it affects essential services such as hospitals or banks and puts individuals’ rights at risk. If the lack of access to personal data poses a significant risk, it is necessary to notify the Data Protection Authority.

Real example:
If a clinic loses access to medical records during the blackout and this impacts healthcare delivery, the risk must be assessed and, if necessary, reported to the AEPD or CNPD 🏥📄

Blackout Impact: Civil Society vs. Businesses 🏢🏥

At IAPP, we analyzed the impact on civil society (hospitals, communications…) and on businesses (SMEs and large corporations):

  • Hospitals and critical services: activated emergency plans, but rural and small centers suffered more.
  • Large companies: had continuity protocols and resources for rapid recovery.
  • SMEs: were the most vulnerable, facing operational paralysis and slow recovery.
  • Urban and rural differences: In rural areas, managing the blackout was simpler and more effective. These communities are more accustomed to interruptions and have better-established resilience mechanisms and mutual support.

Lessons learned: Continuity and preparation 📝🔄

The IAPP session highlighted the importance of:

  • Testing and updating business continuity plans 🧑‍💼✅
  • Implementing standards like ISO 27001 to improve resilience and data protection 📊🔏
  • Clear communication and leadership in crisis management. 📢👨‍💼
  • Learning from other crises such as the COVID-19 pandemic to maintain data integrity and service continuity 🦠💾

Why is IAPP key for privacy and GDPR? 🌍🔑

Being part of the IAPP community means staying at the forefront of privacy and data protection. Sharing experiences and insights with other certified professionals at events like this not only enriches my own perspective, but also helps us all grow as a sector. I’m grateful for the opportunity to connect, learn and contribute, because together, we’re building a more resilient and privacy-conscious future.

*Image: IAPP

Related Posts