XXX
Measures
XXX
Information security
Companies must protect the personal data they process, which can be done in different ways. Therefore, the company needs to establish and implement internal procedures and make other information available to its employees, in order for them to protect the personal data. The more important the personal data is, the stronger the protection it needs. The better information security the company implements within the business, the less risks associated with the processing of personal data.
Personal data breaches under GDPR
Personal data breaches can have major consequences for the data subjects concerned. This can lead, for example, to identity theft or financial damage. In addition, companies can have major consequences if they do not take adequate organisational and technical security measures to prevent personal data breaches. The same applies if the company violates the GDPR in other parts, for example by not reporting a personal data breach in time.
Common examples of personal data breaches:
- Illegal destruction of personal data.
- Unauthorised disclosure of personal data;
- Unauthorized access to personal data.
- Unintentional loss of personal data.
● Unauthorized change of personal data.
Risk assessment following a personal data breach
Companies must always carry out a risk assessment following a personal data breach. The purpose of the assessment is to find out what risks the breach entails for the rights and freedoms of data subjects. Examples of what companies can take into account when carrying out the risk assessment:
Breach
The nature of the personal data breach; For example, if it is an email that has been sent to the wrong recipient that contains common personal information, such as name and phone number, or if the breach means that sensitive personal information about a person's health has been leaked.
Character and sensitivity
The more important the personal data, the higher the risk to the rights and freedoms of data subjects. Therefore, it is important to analyse the importance of personal data. Is it, for example, a person's credit card details or other information that is extra worthy of protection?
Consequences
The possible consequences of the personal data breach; For example, if credit card details have been leaked, it can lead to financial damage.
Characteristics
Whether the data subjects are a group worthy of protection, such as children, the elderly or individuals with disabilities.
Volume
How many people have been affected by the personal data breach. Often it tends to have a greater effect the more there are, but it does not always have to be so either. It is also useful to analyse the volume of personal data affected by the breach, and not just the number of data subjects.
The regulation requires documentation of all occured personal data breaches
Any company that detects a personal data breach in relation to the personal data it processes must document it. This documentation requirement applies regardless of whether the personal data breach is so serious that it needs to be notified to the national data protection authority and the data subjects. All occurred personal data breaches must be documented, but not all need to be reported. In addition, it is good to have internal routines for how employees should act in the event of personal data breaches. Prompt action can have a major impact on the consequences it entails.
Companies shall take various appropriate preventive measures
In addition to preventing personal data breaches, companies should also try to minimise the consequences once they occur. It is a requirement under the GDPR for companies to protect the personal data they process, which includes the implementation of various appropriate preventive measures.
Inform affected data subjects of an occurred personal data breach
Data subjects shall be informed of certain types of personal data breaches affecting their personal data. In this way, they can also contribute to minimising the negative consequences themselves. For example, if the credit card number leaks, the data subject can take their own steps to block the card.
In addition, the company that is the controller of the personal data in question must notify certain types of personal data breaches to the national data protection authority. Notification must be made within 72 hours of the discovery.
Cross-border personal data breaches
When a personal data breach is related to several countries within the EU, it is a cross-border personal data breach. Companies operating in several countries in the Union need to assess which data protection authority is responsible. This needs to be done in order to, among other things, be able to know who to report a possible personal data breach to.
However, data subjects may lodge their complaint with the national data protection authority of their country of residence, which in turn may transfer the case to another supervisory authority if it is more appropriate.
Organisational security measures to protect personal data
In order to comply with the rules of the GDPR, companies need to take various appropriate security measures. Among other things, organizational security measures to protect personal data, as well as other organizational measures to, for example, be able to meet the rights of data subjects.
Authorization management and access rights
It may be appropriate for companies to control the authority over who has access to personal data, to ensure that unauthorized persons do not have it. This is especially important in larger companies that process important personal data, such as sensitive personal data.
The principle that employees should have access to personal data on a ‘need-to-know’ basis is a good starting point. In short, this means that only employees who need to process the personal data in order to perform their tasks should have such access. Other employees will not have access to them. In addition, it is important to revoke access rights when it is no longer necessary. Authorization management is something that should be monitored and reviewed on an ongoing basis.
Instructions and routines for employees
Companies should establish internal procedures and instructions to their employees on how to work in practice to comply with the rules of the GDPR. All processing of personal data is in practice carried out by employees, although it is the company that legally has the ultimate responsibility for the processing taking place in accordance with GDPR.
If a company has several departments, it is good to create custom instructions for the respective departments. The reason for this is that it is often not necessary for all employees to know all the rules in GDPR in order to be able to manage their tasks. In addition, the company should have internal procedures for handling personal data breaches, etc.
Safety culture and education
Data protection is an important part for companies that process personal data, which is the vast majority of companies. In order to have good data protection, it is important to create a good safety culture within the business. Among other things, this can be done by training the staff in the part of GDPR that is important to know in their tasks.
In addition, it can be good for large companies with multiple diversions to have data protection ambassadors in each department who receive a specific training and become a type of contact person in the department.
Technical security measures to protect personal data
It is important that the company takes appropriate technical security measures to protect personal data in accordance with the GDPR. The more important the personal data is, the more secure security measures the company needs to take.
In addition, companies need to implement other technical measures to comply with other rules in the GDPR and other laws. For example, companies operating an online marketplace need to put in place a technical solution that allows users to report fake and other illegal goods.
Authentication as part of the identity process
It is common for data subjects to need to identify themselves before they can access systems that process personal data. For example, they need to log in with their registered username and password. This is a type of authentication. However, it may be appropriate to have a more secure authentication process in some cases.
For example, if a person is going to take out a loan from their bank via their mobile phone. In such cases, it may be appropriate that the person needs to log in with an eID or similar, and not only through a username with a password.
For companies that process very sensitive personal data, such as health data, a more secure means of authentication may be the use of fingerprints or a special card.
Encryption of data during storage and transmission
Encryption of personal data and other information is a common technical measure for companies to take. For example, encryption can occur when the company sends an email containing important personal information. In addition, encryption may be appropriate to implement when storing personal data, such as when the storage relates to privacy-sensitive personal data. In short, encryption means that a combination of a mathematical function and encryption key together can transform data so that it becomes readable.
Backup of personal data and other information
To avoid unauthorized destruction, change or loss of personal data, it is good to back them up. For example, by taking regular backups that are then stored in a secure cloud service. If data is unlawfully lost or altered, it constitutes a personal data breach which the company must prevent. Therefore, it is good to have backups as part of the technical security measures. However, it is important to keep in mind to protect the copies, just as the company must protect the originals. In addition, the company needs to erase out the backups after a certain period of time.
Network segmentation of computer networks
One technical security measure that can reduce the consequences of any personal data breaches is by splitting data networks into several sub-networks. This is also called network segmentation. In addition, it is a way to counteract unauthorized access and disclosure of personal data.
Third country transfers
A third country is a country outside the EU/EEA area. When a company transfers people there, stricter rules apply. Examples of when transfers of personal data to third countries are common:
When a person sends an email containing personal data. For example, by attaching a document to an email recipient in Asia.
If a company stores personal data on a cloud service that has its servers in the United States.
When a company in the EU enters into an agreement with a company in Africa that contains personal data.
Adequate level of protection as assessed by the European Commission
If a country is deemed to have an adequate level of protection, it is allowed to transfer personal data there without having to take any additional safeguards, such as binding corporate rules.
However, a company cannot decide for itself whether a country has an adequate level of protection or not. This is a decision taken by the European Commission.
Specific situations and occasional transfers
Even if a third country is not considered to have an adequate level of protection in accordance with a decision of the European Commission, or the company takes some additional safeguards, it may be allowed to transfer personal data to a third country. For example, if the data subject gives his or her explicit consent to the transfer and notifies the company accordingly. Please note that the data subject must be informed about the processing and the risks involved before giving their consent.
Additional safeguards for third country transfers
A company may take additional safeguards that are appropriate when transferring personal data to a third country. In such cases, the transfer may be permitted. Please note that a data subject must have the right to object to the processing. In addition, the person shall have the right to have the matter tried in a court of law.
Here you can read recommendations from the European Data Protection Board regarding appropriate supplement transfer tools to safeguard transfers of personal data to third countries and ensure compliance with the EU level of protection of personal data.
Binding corporate rules (BCRs)
It is possible to establish binding corporate rules which, for example, a group of companies, which has companies in several countries, can use when transferring personal data to third countries. The BCRs must be approved by an EU data protection authority in order to be valid. In addition, the European Data Protection Board shall issue an opinion before the decision is taken.
Standard Contractual Clauses (SCCs)
The European Commission has adopted standard contractual clauses (SCCs) that companies can use when transferring personal data to third countries. In other words, companies that enter into an agreement with a company in a third country that does not have an adequate level of protection may include the appropriate clauses from the European Commission. Please note that it is not allowed to change the clauses. In addition, it is important to use the right clause for the specific situation.
Codes of conduct or certification mechanisms
If a company in a third country adheres to a code of conduct that is approved, it may be allowed for companies to transfer personal data to the company. The same applies if they have joined an approved certification mechanism. It is common for organisations representing a specific industry to draw up codes of conduct that can be adhered to.
Here you can read guidelines from the European Data Protection Board regarding codes of conduct as tools for transfers of personal data to third countries.
GDPR-related agreements and documents
There are several agreements and documents that companies need or/and should draw up in writing, in order to comply with the rules of the GDPR. Companies must be able to demonstrate that they comply with the GDPR according to the principle of accountability, and this means, among other things, presenting written appropriate GDPR-related documents and agreements. Below is a brief summary of some key GDPR-related documents and agreements that most companies need.
Privacy notice with information about the processing of personal data
Companies must inform about the processing of personal data, preferably before the company starts the processing or in connection with the personal data being collected. This is usually done in a privacy notice published on, for example, the company’s official website.
The information contained in the notice shall include, inter alia, the duration of the processing of the data by the company, the purpose of the processing and the rights of data subjects. Articles 13 and 14 of the GDPR regulate the minimum requirements for the content of a privacy notice.
Data processing agreement between a processor and a controller, or between two processors
When a data controller engages a data processor, i.e. another actor who carries out the processing of personal data on behalf of the data controller, they need to enter into a Data Processing Agreement (DPA). This is regulated in Article 28 of the GDPR, which contains information about the minimum requirements regarding the content of the data processing agreement.
The Data Processing Agreement must be in writing in order to be valid in accordance with the GDPR. For example, companies typically use cloud services for backup. In such cases, the company operating the cloud service is a data processor.
In addition, a processor shall enter into a Data Processing Agreement if they in turn engage another processor to carry out the processing of personal data on behalf of the controller.
Record of processing activities (ROPA) with information on the processing of personal data
Some companies need to draw up a record of its processing activities, containing information on the processing of personal data carried out by the company. It must be in writing and the national data protection authority may request access to the list. Upon such request, the company shall make it available to them. Please note that not all processing operations necessarily need to be included in the record, but only those processing operations that meet the criteria set out in Article 30(1) of the GDPR.
Specific record for personal data processors
It is not only controllers who need to have a written record of processing activities. Processors also need to establish a special record pursuant to Article 30(2) of the GDPR. It shall contain information on all processing operations they carry out on behalf of a controller. Including information about who the data controllers are, their contact details and information about the processing operations.
Different types of assessments
Companies may need to make certain assessments before processing personal data is carried out. For example, a data protection impact assessment (DPIA) or assessment of legitimate interest (LIA) with documented balancing of interests.
It is important that the assessments are documented in writing, as it is a requirement that companies must be able to prove that they comply with the GDPR in practice, according to the principle of accountability. In the case of supervision, the responsible data protection authority may request to see the assessors.
Data Protection Impact Assessment (DPIA)
When a company processes personal data that may result in a high risk to the rights and freedoms of data subjects, the company shall carry out a data protection impact assessment. The purpose is to see what risks the processing entails and what the company can do to respond to them. For example, by developing appropriate procedures and implementing appropriate technical and organisational security measures.
Penalty for a company in finland that did not carry out an impact assessment
In one of the three decisions of this supervision, the Finnish data protection authority concluded that the company in question should have carried out an impact assessment when processing the location information of its employees by locating vehicles through a driving data system. Due to this violation of the rules of the GDPR, the company had to pay a fine of 16 000 euros.
Data Transfer Impact Assessment (DTIA)
If a company intends to transfer personal data to a third country that does not provide an adequate level of protection pursuant to a decision of the European Commission, the company shall carry out an impact assessment of the data transfer. This must be done before the transfer is completed.
The purpose is to analyse the recipient of the personal data, including the recipient country, to find out whether the transfer is sufficiently secure. Furthermore, it is important to analyse the data protection laws and regulations of the recipient country and the rights that data subjects may have in the recipient country.
Legitimate Interest Assessment (LIA)
Companies may have a legitimate interest in carrying out a certain type of personal data processing. In other words, the interests of the company outweigh those of the data subjects. In addition, the processing must be necessary to achieve the purpose. For example, it may be necessary for a company to carry out a certain processing to prevent fraud or other crime. In such cases, this may constitute a legitimate interest.
In short, the legal basis “Legitimate interest” means that the personal data may be processed by the company without the consent of the data subject, without it being necessary for the conclusion or performance of a contract and without there being a legal obligation to carry out the processing.
Prior consultation of the supervisory authority
Where a high risk to the rights and freedoms of data subjects persists after the company has carried out an impact assessment and taken appropriate safeguards based on that assessment, the company shall request a prior consultation with the national data protection authority. Please note that the company must prepare an impact assessment before the prior consultation is requested or the processing begins.
XXX
XXX
XXX