Video


Data protection and actions at the time of the incident - a short introduction to the valid remedial procedures

Posted: by Jan Nawrot

Category: gdpr

Acquisition, management, rewriting and storage of data should be based on decisions that take into account possible risks. This risk may be due to poor processing conditions, improper removal, loss, theft, uncontrolled modification, unauthorized access, or improper storage. It is important to identify possible scenarios for data loss - to determine the probability and frequency of their occurrence, the degree of harm and, in the next step, to plan actions to bring the crisis to a standstill. It should be noted that the May Regulation is not a set of ready-to-use solutions. It does not provide clear-cut methods for dealing with the problems that may arise in the protection of personal data, but allows the requirements of the Regulation to be adapted to the scale and validity of the data.

Measures to preserve data security

In the General Data Protection Regulation (GDPR), which will take effect on May 25, 2018, technical and organizational measures have been taken in order to ensure an adequate level of security of personal information. Organizational measures include impact assessments for data protection, security audits, policy reviews, incident logging, and, optionally, the appointment of a Data Protection Supervisor (DPO). The technical means are, among others: accountability, which consists on imposing on the Data Administrator the obligation to perform regular reviews and evaluations of the data processing, in order to maintain compliance with the standards; procedures taken at the time of the incident, so that the Administrator will be able to react more responsibly and report the incident. In addition, the Regulation introduces a pseudonymization and encryption of personal data; tools to preserve the confidentiality, integrity, accessibility and usability of data-driven systems; ability to formulate basic assumptions that will (at the time of the incident) restore the correct availability of stored data. The primary aim of matching adequate technical and organizational means is to keep personal data of different types and levels of confidentiality secure. It is worth analyzing the ways to implement them and the cost of such implementation in your business. These measures, in order to fulfill their protective function, should be tested and objectively assessed by the safety department.

Handling data breaches

When an irregularity is found in the data management systems, the Personal Data Administrator, the General Inspector for Personal Data Protection, or another person appointed to a similar position is obliged to report the disturbing situation to the competent supervisory authority within 72 hours. Such a declaration should first of all describe the nature of the infringement, that is the area covered by the infringement; specify the type of the captured/lost information along with its weight, and the number of people associated with it. In addition, all consequences of the occurrence (material and non-material) should be reported to both the data controller and the person who made it available. The General Inspector should apply the (pre-prepared) crisis strategy, taking remedial measures into account, and then take appropriate steps to minimize the negative effects of the resulting disruption. It is very important to document the steps taken in crisis situations, not only to allow the supervisory authority to verify it, but also to allow future General Inspectors to use it. The documentation should also contain information on whether the leaked personal data were somehow protected against various types of fraud. If so, the General Inspector or an external security partner must investigate the reason for the ineffectiveness of the protection measures and, after careful examination, introduce the necessary corrections.

Obligation to notify the affected environment about the incident.

There may be situations in which a data leak poses a particular threat and exposes a person to irreparable damage. The General Inspector must notify the affected person as soon as possible and explain, avoiding any specialized language, what the interference was about. He or she should also provide solutions to the situation and continually report on the corrective actions taken.The affected person must retain their mental comfort as his or her confidence is overstretched.

In summary, the actions taken at the time of the disruption are different. It all depends on the quality and number of activities involved in the illegal tampering with data management systems. Corrective actions (not guided by a well-thought-out security strategy) require a sudden dedication of time or financial resources, as well as quick decisions under the pressure of the environment. Therefore, it is advisable to be prepared for possible data breaches, to control your systems or resources, and to design a recovery program.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Udostępnij
Read more:
Step-by-step preparation for GDPR - checklist
GDPR

Step-by-step preparation for GDPR - checklist
An overview of the Regulation and its most frequently discussed issues
GDPR

An overview of the Regulation and its most frequently discussed issues
How was GDPR introduced? Facts.
GDPR

How was GDPR introduced? Facts.
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to [email protected], or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: [email protected].

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact