Information about GDPR
Companies need to work with their information security
Companies need to work with their information security to ensure adequate protection of processed personal data. Technical and organisational security measures should be taken to prevent, in particular, personal data from being leaked or unauthorised altered or destroyed.
GDPR - Companies need to work with their information security
A large part of information security is about the employees of a company having access to the right information and at the right time, for the company to be able to fulfill its obligations under GDPR. For example, if the company needs to notify the personal data breach to the national data protection authority, it must do so within 72 hours of the discovery. If a data subject requests access to his or her personal data in accordance with the GDPR, it is important that employees know how to handle the request in practice.
Personal data breaches and how to handle them
If an unauthorized person gains access to personal data that the company processes, it constitutes a personal data breach. For example, if a person hacks into a computer system and gains access to personal data. In addition, it is a question of unauthorized access if an employee within the company who should not have access to personal data, gets it anyway. Personal data breaches can have serious consequences for data subjects, such as fraud, identity theft or damaging rumours.
It is also a personal data breach if personal data is unlawfully deleted or changed. For example, if a computer that processes personal data is affected by a virus and all personal data is therefore lost. Therefore, it is good to implement technical security measures, such as storing backup files on a cloud service and installing antivirus systems.
Risk assessment of a personal data breach
When a personal data breach occurs, the company must carry out a risk assessment. The purpose is for the company to assess the risk that the personal data breach may entail for the data subjects concerned. The company can then decide whether they need to inform them of the personal data breach that has occurred or not. The sensitivity of the personal data is an important factor in assessing the seriousness of the breach. The more important personal data, the more serious it is.
Documentation of individual personal data breaches
All companies must document in writing any personal data breaches that have occurred. This applies regardless of whether the company needs to inform the supervisory authority and/or the data subjects of the breach. Please note that the national data protection authority may request access to the documentation of the personal data breach in the event of supervision. The documentation shall include, inter alia, information on what has occurred and what measures the company has taken subsequently.
Cross-border processing of personal data
In some cases, a personal data breach may be related to several countries within the EU. In such cases, there is a cross-border personal data breach. It is important for companies that process personal data in several countries within the Union to know which is the company’s lead supervisory authority. If a cross-border personal data breach occurs that is notifiable, the company shall notify the lead supervisory authority.
Preventive measures
Companies shall prevent personal data breaches by taking appropriate preventative measures. In addition, companies need to know how to act in the event of a personal data breach. For example, the company can create internal routines for employees to know what to do. It is important to act as quickly as possible when a personal data breach is suspected or detected, as the consequences can get worse as time goes on.
Tip: Companies can download a guide from the European Data Protection Board on how companies can handle personal data breaches.
Informing data subjects of a personal data breach
In the event of a personal data breach, the company must, in certain cases, inform the data subjects concerned. This shall be done if the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects. In addition, in some cases, the company may need to notify the personal data breach to the national data protection authority. A notification to the national data protection authority shall be made within 72 hours of the discovery. The controller is responsible for carrying out the notification.
A company in Poland had to pay a fine for, among other things, failing to comply with its obligation to notify the personal data breach to the supervisory authority in a timely manner.
Organisational security measures to protect processed personal data
Companies shall, among other things, take appropriate organizational measures to protect the personal data they process. This is reflected in one of the fundamental data protection principles of Article 5(1)(f) of the GDPR, namely the principle of integrity and confidentiality. In other words, companies must take appropriate security measures when processing personal data.
Authorisation management as a security measure
In order to ensure that no more people than necessary have access to personal data, it is good to implement good authorisation management. In other words, deciding who can access what personal data. In law and GDPR, the concepts of authorization and mandate are important terms to understand.
This is about what access a person has to personal data.
This is about what a person is allowed to do with the personal data, as well as when and how the processing may take place.
Instructions and internal procedures for employees
To minimize the risk of employees violating the rules of the GDPR and to make their work easier, it is good to draw up written instructions. For example, written procedures on how employees should proceed when a personal data breach occurs. Written instructions and internal procedures are also a good way to demonstrate that the company complies with GDPR and the principle of accountability.
Training for employees on data protection
It is good to offer training to staff working on data protection issues. Especially if the company has a data protection officer. For example, the company should offer further training to its data protection officer within the GDPR when new practices emerge. In addition, it is good to offer some type of basic training within GDPR to other employees who process personal data such as managers, customer service workers and sales representatives.
Building a good and strong safety culture
It is good to build a strong security culture within the company that permeates the entire business, including the processing of personal data. In other words, this is about creating common values, offering knowledge and creating a motivational attitude regarding data protection work. For example, it is good to create routines and instructions on how employees should act and report suspected personal data breaches.
Technical security measures to protect personal data
In addition to the organizational security measures that the company needs to take, technical security measures must also be taken to protect personal data. The measures that companies need to take depend, among other things, on the type of processing it is and how important the personal data is. Below you can read about some examples of common technical security measures.
Authentication before login
It may be necessary for individuals to confirm their identity before accessing personal data, also known as authentication. For example, when they log into a system that processes personal data, such as the company’s financial system or CRM system. Depending on the situation, the company may need to take a more secure authentication process. For example, by requiring additional verification of identity when logging in, such as fingerprints or a code.
If a person logs in to a bank to transfer money, it is not safe enough to just log in with a username and password. However, it may be enough for the person to log in to the company’s social media.
Encryption of information
Encryption is a common technical security measure for companies to take with the aim of protecting personal data. Especially when it comes to extra-protective personal data, such as sensitive personal data regulated in Article 9 of the GDPR. In short, encryption means that data is readable only by providing a correct secret encryption key. This reduces the risk of unauthorized access to the information.
In some cases, encryption of personal data may be necessary both when transmitting and storing it. For example, if an employer wants to send a pay slip by email to an employee that contains information about sick leave, which is sensitive personal data. In such cases, the payslip should be sent by encrypted email.
Data backup
Many people do not know that personal data that is unlawfully changed or deleted constitutes a type of personal data breach. For example, if a computer that stores personal data receives a virus and the personal data is thereby lost. Therefore, it is good to have a backup of personal data, for example on a cloud service. Please note that it is important to protect the backups, just like the original.
Network segmentation
By splitting a data network into several sub-networks (network segmentation), the company can prevent unauthorized access and disclosure of personal data. In other words, network segmentation prevents communication between, for example, two systems that do not need to communicate with each other.
Thus, if an unauthorized person enters a sub-network, he or she will not have access to all the information that would have been there if the company had not divided the data network into several sub-networks.
XXX
XXX
XXX