GDPR Security Briefs – Introduction
One thing that has changed enormously with the pandemic is that companies no longer have control (especially corporations) over their infrastructure and how it is used by employees. That’s why managing the GDPR security breaches has become a real challenge. If you had 100 employees and one office to work in, you now have 100 offices to protect (or 1000 or 5000).
Things are very different now and hackers are taking advantage of this! Cyber-attacks have increased by over 400% since the start of the pandemic , according to an FBI report from 2020 (over 4000 cases per day).
In this context, the EDPB has adopted a new guide on security breach denial!
This guide complements the 2017 guide on general notification features. What’s new? Well, as a result of the experience gained at European level, we are presented with a practical guide that can be of use to all operators. Through the examples and guidance given, the guide shows us that in order to deal with a security breach, the operator must first be able to recognise it!
What is a security breach in the context of GDPR?
Definitions can be many but perhaps a more established one would be the following: A security breach is any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed.
What kind of GDPR security breaches may exist?
According to the guide, we can have:
- Data privacy breaches – where there is unauthorised/accidental disclosure of data or unauthorised access to data etc;
- Integrity breaches – when we have an unauthorized/accidental alteration of data;
- Availability breaches – where data is unauthorisedly or accidentally lost or certain personal data is destroyed;
Why are we afraid of breaches and what effects can they have? For an operator things are quite clear, and there may be consequences:
- Physical, material or non-material
- Limitations of rights;
- Identity theft or fraud;
- Financial losses;
- Damage to good image or reputation;
- Loss of professional secrets
- Economic, social disadvantages
However, there are also some consequences of an irreversible nature: e.g. damage to the company’s image leading to a fall in the stock market share price or, more seriously, the loss of certain personal or professional secrets leading to suicide.
Examples of security breaches:
- Ransomware attacks: e.g. An online platform owned by a hospital is attacked and the medical data of several hundred patients is blocked;
- Data theft: e.g. theft of billing data recorded through a website;
- Theft of devices and documents containing personal data: e.g. The theft of a tablet containing the name, surname, address, sex, property of citizens;
- Loss of physical mail/emails or mis-sending: e.g. the postal service provider loses the envelope containing data relating to a social survey carried out by social workers for a category of marginalised target persons;
- Human error or malice: e.g. sending an email that discloses the emails to all recipients.
To avoid all this, the GDPR regulates a framework for documenting security breaches, notifying them and informing the data subject.
- We always simply notify in the register when we have an incident even if there is no risk to the rights of the data subject (Article 33(5))!
- We will notify the ANSPDCP every time we have a risk (Article 33(1));
- The data subject is informed when the risk is REDUCED. (Article 34(1))!
Risk assessment and treatment
But how do we assess the risks for security breaches in the context of GDPR? Are we dealing with a minor risk, a medium risk or a major risk in terms of impact? What about the likelihood of reproduction?
The EDPB guide gives us some indicators to consider when assessing risk, including:
- The type of vulnerability and the method in which it occurred;
- The amount of data that has been affected;
- Number of data subjects whose data has been compromised;
- The nature, volume and sensitivity of the data that has been compromised:
- The severity of the consequences it has caused, etc.
Once we have done a risk assessment we can understand what steps we need to take and especially what technical and organisational measures we need to take to deal with the risks. Below is a sample list:
- Staff training specifically on security breach management (identifying breaches and actions to take) are essential for operators!
- Develop an awareness programme for employees and collaborators on potential risks;
- Adoption of internal documents – Security Incident Response Plan, Business Continuity Plan, Security Breach Management Manual etc, policies and procedures (e.g. Password Management Policy, IT Security Policy etc)
- Adopting back-up solutions;
- Server encryption;
- Audit systems on a regular basis;
- Proper regulation of the use of devices both inside and outside the operator’s premises;
- Installation of physical access controls, etc.
The pandemic has presented us with a number of new challenges that businesses and public institutions are trying to successfully tackle and hackers are trying to exploit. In order to protect our personal data, controllers need to analyse the risks that the processing they carry out presents and take a series of technical and organisational measures to mitigate them.
Failure to manage risks can result in the materialisation of a security breach, a range of negative consequences for data subjects’ rights and possible sanctions for operators.
The EDPB comes to our aid with a practical guide for analysing and customising each case, but it’s up to us how we handle things.
If you have identified a risk to data subjects, you are a DPO and you don’t know how to deal with it or maybe you are looking for help to deal with such a risk, we can help you! Our consultancy services will provide the ideal framework for managing these risks and dealing with them in a professional, efficient and timely manner.
But if you are a public institution or a private company with an obligation to have a Data Protection Officer (DPO) appointed and nobody is currently fulfilling this function, and you are dealing with a number of risks to the rights of data subjects, we can do it for you by collaborating in the form of Outsourced DPO.
In any case, if you have questions or want to collaborate, you can write to us at firstname.lastname@example.org!
Leave A Comment