Problems with data in IT companies. The action plan that counts
In recent weeks, data leaks have been making the news in Poland, including a case concerning a popular international social networking site and leaked personal data of police officers. Data leaks (in Polish: “wyciek danych”) may occur both in large organizations as well as in smaller ones. Understanding how corporate data can be leaked is therefore crucial in order to adequately protect data from loss.
Contrary to what may be generally believed, data leaks do not necessarily have to be the work of hackers. It turns out that employees or co-workers themselves are often responsible for compromising corporate IT security. Of course, this does not mean that the risk of someone operating from outside the organization can be ruled out. Hacker attacks are just as probable as the risks arising from the carelessness of people inside the company.
A data leak could signal specific problems faced by a company, such as faulty procedures or insufficient security measures. The role of business owners is not only to adequately secure IT systems, but also to properly educate staff members to prevent data leaks. Management should take the necessary steps to ensure that the data is processed in a secure manner. Regardless of the cause, once a leak occurs, company executives must not ignore the issue. To the contrary, they need to act quickly and effectively. The fact is that the effects of such an incident may include legal consequences (e.g. an administrative fine), alongside having a negative impact on the company’s image and reputation as well as loss of customer trust.
Personal data breach
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR“) does not employ the term “leak” but “a personal data breach”. In line with Article 4 item 12 of the GDPR, “a personal data breach” denotes a violation of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed. Thus, the definition of a personal data breach is very broad.
Not every incident will constitute a personal data breach, only one that involves a violation of confidentiality, accessibility or integrity of the data and has an adverse impact on the data subject.
If such a breach occurs in a specific department, e.g. in the IT department, this unit must effectively communicate with the relevant persons according to pre-established procedures, e.g. with the data protection officer or lawyers specializing in advising on personal data protection.
Notification of the supervisory authority
If a personal data breach has occurred or there are reasonable grounds to suspect that such a breach may have taken place, efforts should be made to manage the situation and contain the negative consequences of the breach.
In keeping with Article 33 sec. 1 of the GDPR, in the event of a personal data breach, the data controller must report the breach to the supervisory authority, i.e. the President of the Personal Data Protection Office (“PDPA“), immediately, but no later than 72 hours after the breach has been detected. This means there is not much time to act.
Notifying the supervisory authority will not be required if the breach is unlikely to pose a risk of infringement of the rights and freedoms of the data subjects. The data controller should make a proper risk assessment to ascertain whether the notification needs to be made.
The data controller is required to document any personal data breaches, including the circumstances relating to the breach, its effects and the remedial action taken. The supervisory authority must be able to verify compliance with the provisions of the GDPR on the basis of this documentation. Article 33 sec. 5 of the GDPR explicitly mandates that records be kept of any data breaches. The register must contain the following information on a given breach: the date of occurrence, circumstances, estimated risk of violation of the data subject’s rights and freedoms, and the remedial and security measures taken. All such incidents that have occurred on the data controller’s side should be entered in the data breach register in the case of an inspection. It is of no consequence whether a given breach has been reported to the President of the PDPA.
Notification of data subjects
If the personal data breach poses a high risk of violation of the rights or freedoms of natural persons, the data controller must notify such persons of the breach without undue delay. The notification should be written in clear and plain language and should describe the nature of the personal data breach and contain at least the information and measures referred to in Art. 33 sec. 3 (b, c and d) of the GDPR. The content of the message should be adjusted to the category of its recipients. Once notified, the President of the PDPA may in the future want to verify the manner in which the data subject was notified of the breach.
Similarly as in the case of the notification obligation towards the supervisory authority, the legislator has provided for cases where, despite the personal data breach, the obligation to notify the data subject does not apply, e.g. the data controller has implemented appropriate technical and organizational security measures and these measures have been applied to the personal data affected by the breach, in particular measures such as encryption to prevent unauthorized access to that personal data.
Not all violations will require notification of the President of the PDPA. However, if such is the case, the notification should be made, if possible, no later than 72 hours after the breach is discovered by the data controller. The key component of risk management is implementing appropriate procedures that help reduce the response time. Each data breach is investigated by the President of the PDPA on a case-by-case basis. According to the wording of the GDPR, penalties are to be effective, proportionate and dissuasive (Art. 83 sec. 1 of the GDPR). In practice, recent years have seen high administrative financial penalties imposed on companies representing different sectors, including IT. Last year, a company was fined more than PLN 85,000 for failure to report a breach of personal data protection provisions to the President of the PDPA. The question whether to notify the supervisory authority should therefore be carefully considered.
Monika Gaczkowska, associate, WOLF THEISS
Last Updated on April 27, 2021 by Karolina Ampulska