The GDPR in Article 5 (1f) calls for the principle of “integrity and confidentiality”. Data must be processed in a manner that ensures adequate security. The integrity and confidentiality is not given if unauthorized access to the data happend, the data was used without authorization, the data gpt lost or damaged (unauthorized changes, …). This loss of integrity or confidentiality is a breach of privacy.
Does every breach of privacy lead to a penalty?
No, data breaches occur in every company over and over again. If the data and the incident were not handled with gross negligence, there is usually no penalty from the authority. As mentioned above, the GDPR requires adequate security, not absolute security.
What is a privacy violation?
There are many ways that data can be damaged or lost. Here some examples:
- Attack of malware
- Successful Phishing – Someone has received critical data or access to the computer through fake emails or websites
- Successful Attacking Passwords – Unknown people could guess / hack passwords, gaining access to data
- Blackmail software – A malware has been able to encrypt / delete data
- Denial of Service – The system is unreachable due to an attack
- Someone has physically stolen storage media
- There were illegal copies of personal data
- A device (laptop, computer, mobile phone, …) has been lost
- A computer hardware (eg hard disk) broke down and caused data loss
- The firewall has detected unauthorized access
Which protection is appropriate?
It is hardly possible to completely prevent data breaches. Therefore, the GDPR also “only” appropriate protective measures.
What is appropriate? To decide what is appropriate, you need to know what data you are processing, what your risk is and what precautions you have taken. In other words, you will find this information in your record of processing activities to define appropriate security measures. (easyGDPR Lite and easyGDPR standard allow you to quickly and efficiently create the record of processing activities, version standard also includes the risk assessment.)
From this risk assessment, you can see if your processing is at high risk for the affected people. There is a high risk if e.g. by misuse of the credit card which will damage to the property as consequences of a data protection injury. In this case, ALL actions that may reduce the risk are necessary and appropriate.
If the data subject does not suffer any damage as a result of the data protection violation, but is “only” irritated or has to reenter data, this is specified as “minor consequences”.
In this case, the level of protection is much lower and there is no need to implement extremely expensive and complicated safeguards. Here it is important to ensure that data breaches are not caused by negligence. Not using a current firewall, using outdated software or not encrypting hard drives is definitely negligent in this context.
How do I prevent data breaches and how can the damage be minimized?
Preventing privacy breaches is an extensive topic. Here we can only give an overview of the five most important measures:
1) Preventing data breaches through employee training
In many cases, data loss results from “human error”. Only employees who know what to look out for have a chance to make no (or fewer) mistakes. Make sure your employees understand and use all the protections you use (for example, do not open Word-files from unknown senders).
Only if the problems are known to your employees, they can react correctly. (We offer individual training on request.)
2) Reduce the damage by encryption
With Microsoft Bitlocker it is easy and inexpensive to encrypt the hard disks with Windows systems (Windows 7 and higher). Especially devices that are used outside the office (external hard drives, memory sticks, notebooks, mobile phones, …) must always be encrypted. These devices can be easily lost or stolen.
Due to the encryption, it is unlikely that the one who finds the notebook or the thief has the opportunity to access the data. As a result, the risk for those affected is minimized.
3) Preventing / detecting intrusions into the network and preventing malware
State-of-the-art network protection software can detect encryption trojans behavior and prevent the execution. Next generation firewalls detect threats to websites and emails before the data even reaches the workplace.
We recommend that you make a security check to see how well your network is prepared for today’s threats. Current network protection is not expensive. We are happy to help.
4) Using current software
Many privacy breaches are made possible by non-updated software. A famous case is the Panama Papers, were the hacking was successful because of an un-updated website.
Make sure you are using the latest software. Especially Windows and the Office-Suite should be up to date. Current versions of Office prevent the execution of malware. Potentially dangerous content can only be executed if the user explicitly gives permission. In old versions of Office the malicious software runs without asking.
We have been a Microsoft Partner for more than 15 years and are happy to help you update your system.
5) Preventing data destruction through a working backup strategy
Backup strategies are an extensive topic which we will discuss separately. Here we only want to point out two aspects
Make sure your backup can also be read and restored. When did you really test your backup? Are all data available and are fully readable?
Make sure that NOT every user is authorized to access the backup directly.
Make sure that a copy of the data is available offline and out of the house, so you have data available even after an emergency (e.g. fire).
What do I do if a privacy violation happens?
In any case, you have to document what happened.
easyGDPR Standard maintains a directory of privacy incidents and asks all the necessary questions to handle the incident correctly.
In any case, you have to decide how big the risk is for those affected. It is differentiated between:
- No risk: for example, encrypted memory stick was lost (you do not have to do anything except documenting).
- There is a risk: e.g. unencrypted memory stick was lost. Here you must inform the data protection authority within 72 hours.
- There is a high risk: e.g. Credit cards or login details were stolen. Here they must inform the authority and those affected.