• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
easy GDPR - we make compliance with GDPR easy

easyGDPR

We make implementing General Data Protection Regulation Easy

  • Home
  • Services
    • Software
      • Quick Check
      • Starter
      • Standard
      • Data Subject Requests
      • Sophos
    • IT Security
    • network checkup
    • SME digitization funding
    • Data protection consulting
      • Data protection
      • Cybersecurity
    • Training
      • Data protection
      • Cybersecurity
  • Partner
    • Resellerprogramm
    • Affiliate programm
  • GDPR
    • GDPR News
    • FAQ
    • GDPR Decisions
    • GDPR Fines
    • GDPR legal text
  • Shop
  • Contact
    • Contact
    • Newsletter registration
  • Login
    • Shop / Affiliate Program
    • easyGDPR Software
  • German
  • English

Privacy violation

11/09/2019 by Wolfgang Weissinger

The GDPR in Article 5 (1f) calls for the principle of “integrity and confidentiality”. Data must be processed in a manner that ensures adequate security. The integrity and confidentiality is not given if unauthorized access to the data happend, the data was used without authorization, the data gpt lost or damaged (unauthorized changes, …). This loss of integrity or confidentiality is a breach of privacy.

There have already been some high penalties for data breaches in Europe.

Does every breach of privacy lead to a penalty?

No, data breaches occur in every company over and over again. If the data and the incident were not handled with gross negligence, there is usually no penalty from the authority. As mentioned above, the GDPR requires adequate security, not absolute security.

What is a privacy violation?

There are many ways that data can be damaged or lost. Here some examples:

  • Attack of malware
  • Successful Phishing – Someone has received critical data or access to the computer through fake emails or websites
  • Successful Attacking Passwords – Unknown people could guess / hack passwords, gaining access to data
  • Blackmail software – A malware has been able to encrypt / delete data
  • Denial of Service – The system is unreachable due to an attack
  • Someone has physically stolen storage media
  • There were illegal copies of personal data
  • A device (laptop, computer, mobile phone, …) has been lost
  • A computer hardware (eg hard disk) broke down and caused data loss
  • The firewall has detected unauthorized access
  • ….

Which protection is appropriate?

It is hardly possible to completely prevent data breaches. Therefore, the GDPR also “only” appropriate protective measures.

What is appropriate? To decide what is appropriate, you need to know what data you are processing, what your risk is and what precautions you have taken. In other words, you will find this information in your record of processing activities to define appropriate security measures. (easyGDPR Lite and easyGDPR standard allow you to quickly and efficiently create the record of processing activities, version standard also includes the risk assessment.)

From this risk assessment, you can see if your processing is at high risk for the affected people. There is a high risk if e.g. by misuse of the credit card which will damage to the property as consequences of a data protection injury. In this case, ALL actions that may reduce the risk are necessary and appropriate.

If the data subject does not suffer any damage as a result of the data protection violation, but is “only” irritated or has to reenter data, this is specified as “minor consequences”.

In this case, the level of protection is much lower and there is no need to implement extremely expensive and complicated safeguards. Here it is important to ensure that data breaches are not caused by negligence. Not using a current firewall, using outdated software or not encrypting hard drives is definitely negligent in this context.

How do I prevent data breaches and how can the damage be minimized?

Preventing privacy breaches is an extensive topic. Here we can only give an overview of the five most important measures:

1) Preventing data breaches through employee training

In many cases, data loss results from “human error”. Only employees who know what to look out for have a chance to make no (or fewer) mistakes. Make sure your employees understand and use all the protections you use (for example, do not open Word-files from unknown senders).

Only if the problems are known to your employees, they can react correctly. (We offer individual training on request.)

2) Reduce the damage by encryption

With Microsoft Bitlocker it is easy and inexpensive to encrypt the hard disks with Windows systems (Windows 7 and higher). Especially devices that are used outside the office (external hard drives, memory sticks, notebooks, mobile phones, …) must always be encrypted. These devices can be easily lost or stolen.

Due to the encryption, it is unlikely that the one who finds the notebook or the thief has the opportunity to access the data. As a result, the risk for those affected is minimized.

3) Preventing / detecting intrusions into the network and preventing malware

State-of-the-art network protection software can detect encryption trojans behavior and prevent the execution. Next generation firewalls detect threats to websites and emails before the data even reaches the workplace.

We recommend that you make a security check to see how well your network is prepared for today’s threats. Current network protection is not expensive. We are happy to help.

4) Using current software

Many privacy breaches are made possible by non-updated software. A famous case is the Panama Papers, were the hacking was successful because of an un-updated website.

Make sure you are using the latest software. Especially Windows and the Office-Suite should be up to date. Current versions of Office prevent the execution of malware. Potentially dangerous content can only be executed if the user explicitly gives permission. In old versions of Office the malicious software runs without asking.

We have been a Microsoft Partner for more than 15 years and are happy to help you update your system.

5) Preventing data destruction through a working backup strategy

Backup strategies are an extensive topic which we will discuss separately. Here we only want to point out two aspects

Make sure your backup can also be read and restored. When did you really test your backup? Are all data available and are fully readable?

Make sure that NOT every user is authorized to access the backup directly.

Make sure that a copy of the data is available offline and out of the house, so you have data available even after an emergency (e.g. fire).

What do I do if a privacy violation happens?

In any case, you have to document what happened.

easyGDPR Standard maintains a directory of privacy incidents and asks all the necessary questions to handle the incident correctly.

In any case, you have to decide how big the risk is for those affected. It is differentiated between:

  • No risk: for example, encrypted memory stick was lost (you do not have to do anything except documenting).
  • There is a risk: e.g. unencrypted memory stick was lost. Here you must inform the data protection authority within 72 hours.
  • There is a high risk: e.g. Credit cards or login details were stolen. Here they must inform the authority and those affected.

Category iconNews

Primary Sidebar

IT-Security Whitepaper Downloaden
  • German
  • English
  • Data Protection Statement
  • Terms and Conditions
  • Imprint
  • Licence terms for easyGDPR
  • GDPR terms
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept", you consent to the use of ALL the cookies.
SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non Necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

functionality

Diese Art von Cookies erhöht die Benutzerfreundlichkeit unserer Website. Beispielsweise wird darin die von Ihnen ausgewählte Sprache gespeichert. Auch die Verfügbarkeit von Videostreams und sonstigem Inhalt kann von diesen Cookies abhängig sein. Wenn Sie diese Cookies ablehnen, ist die Benutzerfreundlichkeit eingeschränkt.

Save & Accept