As an Administrator, can you choose the appropriate technical and organizational security measures necessary to ensure compliance with the GDPR?
The breach of personal data protection, which resulted in the penalty imposed, consisted in the loss of a portable information carrier, such as a flash drive, by a probation officer. The flash drive was official , unencrypted and contained personal data of 400 people subject to probation and covered by the environmental interview by the probation officer.
The pendrive contained personal data such as: name and surname, date of birth, address of residence or stay, PESEL identification number, data on earnings and / or property, series and number of ID cards, telephone number, health data and data on judgments sentencing . Due to the above scope of data, the breach posed a high risk of violating the rights or freedoms of natural persons. Therefore, it was notified to the supervisory authority and also communicated on the controller’s website.
In the course of the UODO proceedings, the controller documented that:
- Has an implemented personal data protection system in the form of rules for the processing of personal data.
- The documentation is updated and audited on an ongoing basis.
- He appointed the Data Protection Officer.
- He undertook activities in the form of stationary and e-learning training for his employees in the field of personal data protection and the provisions of the implemented documentation.
- He introduced on-line duties performed by the Data Protection Officer at the controller’s premises.
- Ad hoc inspections are carried out by the Data Protection Officer.
So what was the problem?
In the implemented documentation on the protection of personal data, the administrator has included a provision that it is the users of data carriers that are required to adequately protect them.
However, he did not show that he informed employees about adequate safeguards for data carriers in his opinion and how to implement them. The incorrect assumption is not only the fact that employees have specialist knowledge in the field of cryptography, but also that they will remember to encrypt data on the carrier each time.
The basic principle in the area of information security is the principle of the weakest link. It says that just as the weakest ring affects the strength of the chain, the weakest security affects the information security management system. It has been known for a long time that the weakest link in the information security chain are people / employees, whose random errors are responsible for more than half of all data leaks.
The employee should know that portable equipment should be encrypted, but the administrator is responsible for the implementation of this process, as is the implementation of the entire process of implementing appropriate technical and organizational measures, their assessment and regular testing and measurement.
Delegating the obligations imposed on the Administrator by the provisions of the GDPR, including in particular the implementation of appropriate technical and organizational measures, their assessment and regular testing and measurement on the employee do not ensure compliance with the provisions of the GDPR. The risk analysis process should be carried out and based on it, appropriate (effective) security measures should be selected for a given situation (purpose, scope, method of data processing).
Use common sense and remember that there are external entities that are highly specialized in issues related to the protection of personal data. They know the solutions available on the market in the field of cybersecurity and are able to adapt them to the client’s needs.
BLUE energy will be happy to help you with all aspects related to personal data – GDPR requirements audit service
The Office of Personal Data Protection in September this year. imposed another administrative penalty on an entity that failed to comply with obligations that stem directly from the RODO.
Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on on the protection of Union law whistleblowers, is already in effect as of December 17, 2021. However, until today (25.07.2022), a law clarifying the requirements of the Directive on the protection of whistleblowers has not appeared in the Polish legal order.