GDPR Security Briefs – Introduction
One thing that has changed enormously with the pandemic is that companies no longer have control (especially corporations) over their infrastructure and how it is used by employees. That’s why managing the GDPR security breaches has become a real challenge. If you had 100 employees and one office to work in, you now have 100 offices to protect (or 1000 or 5000).
Things are very different now and hackers are taking advantage of this! Cyber-attacks have increased by over 400% since the start of the pandemic , according to an FBI report from 2020 (over 4000 cases per day).
In this context, the EDPB has adopted a new guide on security breach denial!
This guide complements the 2017 guide on general notification features. What’s new? Well, as a result of the experience gained at European level, we are presented with a practical guide that can be of use to all operators. Through the examples and guidance given, the guide shows us that in order to deal with a security breach, the operator must first be able to recognise it!
What is a security breach in the context of GDPR?
Definitions can be many but perhaps a more established one would be the following: A security breach is any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed.
What kind of GDPR security breaches may exist?
According to the guide, we can have:
- Data privacy breaches – where there is unauthorised/accidental disclosure of data or unauthorised access to data etc;
- Integrity breaches – when we have an unauthorized/accidental alteration of data;
- Availability breaches – where data is unauthorisedly or accidentally lost or certain personal data is destroyed;
Why are we afraid of breaches and what effects can they have? For an operator things are quite clear, and there may be consequences:
- Physical, material or non-material
- Limitations of rights;
- Identity theft or fraud;
- Financial losses;
- Damage to good image or reputation;
- Loss of professional secrets
- Economic, social disadvantages
However, there are also some consequences of an irreversible nature: e.g. damage to the company’s image leading to a fall in the stock market share price or, more seriously, the loss of certain personal or professional secrets leading to suicide.
Examples of security breaches:
- Ransomware attacks: e.g. An online platform owned by a hospital is attacked and the medical data of several hundred patients is blocked;
- Data theft: e.g. theft of billing data recorded through a website;
- Theft of devices and documents containing personal data: e.g. The theft of a tablet containing the name, surname, address, sex, property of citizens;
- Loss of physical mail/emails or mis-sending: e.g. the postal service provider loses the envelope containing data relating to a social survey carried out by social workers for a category of marginalised target persons;
- Human error or malice: e.g. sending an email that discloses the emails to all recipients.
To avoid all this, the GDPR regulates a framework for documenting security breaches, notifying them and informing the data subject.
- We always simply notify in the register when we have an incident even if there is no risk to the rights of the data subject (Article 33(5))!
- We will notify the ANSPDCP every time we have a risk (Article 33(1));
- The data subject is informed when the risk is REDUCED. (Article 34(1))!