The GDPR requires in Article 5 (1f), the principle of “integrity and confidentiality”. Data must be processed in a way that ensures adequate security. The integrity and confidentiality is not given if unauthorized persons get access to the data, the data are used without authorization, the data are lost or damaged (changed without authorization, …). This loss of integrity or confidentiality is a data breach.
There have already been some six-figure fines for data breaches in Europe.
Does every data breach result in a hefty fine?
No, data breaches happen all the time in every company. If the data and the incident were not handled in a grossly negligent manner, there is usually no penalty from the authorities. As mentioned above, the GDPR requires adequate security, not absolute security.
What is a data breach?
There are many ways in which data can be corrupted or lost. Here are a few examples:
- Malware attack
- Successful phishing – someone has obtained critical data or access to the computer using fake emails or websites
- Successful attacks on passwords – unknown persons were able to guess/hack passwords and thus gain access to data
- Extortion software – A malicious software has managed to encrypt/delete data
- Denial of service – the system is no longer accessible due to an attack
- Someone has physically stolen storage media
- Illegal copies of personal data were made
- A device (laptop, computer, cell phone, …) has been lost
- A computer hardware (e.g. hard disk) has broken and caused the data loss
- The firewall has detected an unauthorized access
What protection is appropriate?
It is hardly possible to prevent data breaches altogether. That is why the GDPR “only” requires appropriate protection measures.
What is appropriate? To decide what is appropriate, you need to know what data you are processing, the level of risk to data subjects, and what safeguards you already have in place. In other words, you will find all the information you need to define appropriate protection measures in your procedure directory .(easyGDPR Lite and easyGDPR Standard allow you to create the procedure directory quickly and efficiently. With easyGDPR, the risk assessment is also included).
From this risk assessment, you can see if there is a high risk to data subjects in your processing operations. A high risk exists if, for example, misuse of the credit card results in damage to property as a consequence of a data breach. In this case, ALL measures that can reduce the risk are necessary and appropriate.
If the data subject does not suffer any damage as a result of the data breach, but is “only” irritated or has to re-enter data, this is referred to as “minor consequences”.
In this case, the level of protection is much lower and it is not necessary to implement extremely expensive and complicated protective measures. Here, it is important to ensure that data breaches do not occur negligently. Not using an up-to-date firewall, using outdated software or not encrypting hard drives is definitely negligent in this context.
How do I prevent data breaches or how can the damage be minimized?
Preventing data breaches is a broad topic. Here we can only provide an overview of the five most important measures:
1) Preventing data breaches through employee training.
In many cases, data loss results from “human error.” Only employees who know what to look out for have a chance not to make (fewer) mistakes. Make sure your employees understand and apply all the safeguards used (e.g., don’t open Word documents from unknown senders).
Only if the problems are known to your employees, they can react correctly. (We offer individual training upon request ).
2) Reduce the damage through encryption.
With Microsoft Bitlocker it is easy and inexpensive to encrypt hard disks on Windows systems (Windows 7 and higher). Especially devices that are used outside the home (external hard drives, memory sticks, notebooks, cell phones,…) must always be encrypted. These devices can be easily lost or stolen.
Due to the encryption, it is unlikely that whoever finds the notebook or the thief will be able to access the data. This also minimizes the risk for those affected.
3) Preventing / detecting network intrusion and preventing malicious software
State-of-the-art network protection software can detect encryption Trojans by their behavior and prevent their execution. Next Generation Firewalls detect threats from websites and emails before the data even reaches the workplace.
We recommend that you run a security check to see how well your network is equipped to deal with current threats. Up-to-date network protection is not expensive. We will be happy to advise you.
4) Use up-to-date software
Many data breaches are enabled by software that is not updated. A famous case is the Panama Papers, which were hacked by a website that was not updated.
Make sure you are using up-to-date software. Especially Windows and Office should be up to date. Current versions of Office prevent malware from running. Potentially dangerous content can be executed only if the user gives explicit permission. In old Office versions, the malware is executed without any comment.
We have been a Microsoft partner for more than 15 years and are happy to help you upgrade your system.
5) Prevent data destruction through a functioning backup strategy.
Backup strategies are an extensive topic that we will discuss separately. Here we would like to point out only two aspects
Make sure that your backup can be read and restored again. When did you really test your backup? Are all data available and can they be read at all?
Make sure that NOT every user is authorized to access the backup directly.
Ensure that a copy of the data is available offline and off-site so that you have data available even after an emergency (fire).
What do I do if a data breach occurs?
In any case, they must document what happened.
easyGDPR Standard keeps a record of data protection incidents and asks all the necessary questions to deal with the incident correctly.
In each case, you must decide how great the risk is for those affected. A distinction is made between
- No risk: for example encrypted memory stick was lost (except logging you don’t have to do anything).
- There is a risk: e.g. unencrypted memory stick was lost. Here you must inform the data protection authority within 72 hours.
- There is a high risk: e.g. credit cards or login data have been stolen. Here they have to inform the authority and the affected persons.