PL
DE
UK
European Commission research shows that more than 75% of Europeans are concerned about their security on social networks and search engines online. They think their data will be misused. This state of affairs was the beginning of the RODO regulation. Today, the situation is different: personal data is at a premium, and the law provides for severe penalties for violations. What obligations do businesses have in this regard, and what consequences can they face?
Data leakage is a real and serious problem – it affects an average of several million users whose email addresses, phones and other sensitive data got into the wrong hands. From time to time we hear about data breaches at various companies. Companies then suffer not only property damage, but also image damage.
Data leakage in the context of RODO
There is no such phrase as “data leakage” in the law, it is referred to a breach of personal data protection, for example.
- intentional destruction
- data loss
- modification
- unauthorized disclosure
- unauthorized access.
So it’s not just about hacking attacks, but more situations that pose serious risks to data subjects. These can be identity theft, extortion of credit, making purchases on the Internet, renting a room, etc. A person who has lost data will be left with debts and may be suspected of committing a crime.
Data security and RODO. Obligations of the entrepreneur
A data breach occurs when the data is not possible for use by the controller, i.e. the owner of the data (e.g. there is a breach structure, blocked access) or there is no data at all (destroyed).
Once any data breach has occurred, the entrepreneur is obliged to report the situation to the supervisory authority within 72 hours. Such an entity is the President of the Office of Personal Data Protection (PUODO). When the situation is serious, those whose data are breached should also be notified. They can then try to protect what is left. The breach is reported on the PUODO website by filling out a form.
In what situations does a data breach absolutely need to be reported?
- when data subjects may be deprived of their rights or freedoms or the ability to control their own personal data;
- when sensitive data are processed, i.e. data revealing racial or ethnic origin, political views, religion, philosophical beliefs or trade union membership, as well as genetic data, health, sexuality, convictions and criminal acts or related security measures;
- automated data processing, including profiling, occurs;
- processed data of vulnerable people, especially children;
- data processing takes place on a large scale and affects a significant number of data subjects.
Amount of penalties for the entrepreneur for data breach
The RODO imposes severe restrictions on business owners who fail to comply with their obligations. Entrepreneurs who process a great deal of data have an obligation to protect it from leaking out of the company, especially from accidental or intentional destruction and access by outsiders.
If the entrepreneur has not implemented appropriate technical and organizational measures, this is a premise for imposing an administrative fine of up to 10,000,000 euros, or, in the case of the company, up to 2% of its total annual worldwide turnover from the previous fiscal year. If 2% of this turnover is higher than the amount of 10,000,000 euros, the upper limit is the higher of the two amounts. That’s why it’s the quick reaction that counts, and first and foremost, taking preventive measures.
What should an entrepreneur do when wanting to fully protect data?
- You need to familiarize yourself with the RODO regulation, which describes that the controller or processor is obliged to assess the risks arising from data processing and take countermeasures, such as data encryption (the information is encoded, the recipient, who does not have the so-called decryption key, will not read the message) pseudonymization (processing the data in such a way that it cannot be attributed to a specific person) or anonymization (makes it irreversibly impossible to identify a person).
- Provide other preventive measures under the law:
- The ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to quickly restore personal data availability and access in the event of a physical or technical incident;
- Regularly test, measure and evaluate the effectiveness of technical and organizational measures to ensure processing security.
- It is necessary to implement IT technologies that protect against data leakage, theft, hacking attacks or accidental data loss. One such solution is so-called Data Leak Prevention (alsoDataLoss Prevention – DLP).
- Having good antivirus and firewall software.
- Signing a confidentiality clause by employees, contractors, freelancers already at the beginning of the cooperation, so that they are aware that the processed data is confidential. Some of the cases involving data leakage have a cause in the conscious or unconscious conduct of co-workers.
- Mindfulness on a daily basis, such as not writing access passwords on the board above your desk or desktop and other dangerous situations.
Data security at ITH.EU
The topic of cyber security is a priority for our specialists, especially from the perspective of a telecommunications company. Welcome to the ITH Security package, which includes auditing and monitoring, network protection, cloud firewall and VPN.