You do not care about the security of information, take into account the penalty from the President of the Personal Data Protection Office

On January 11, another information about an administrative fine in the amount of PLN 45 thousand appeared on the UODO website. zlotys, this time imposed on the Warsaw University of Technology. Interestingly, this penalty is once again related to the Administrator’s failure to apply appropriate technical and organizational measures to ensure the ability to continuously ensure the confidentiality of processing services, also for the lack of regular testing, measurement and evaluation of the effectiveness of measures.

Or at least that’s what we can read from the general message published on the website. However, I encourage you to follow the decision of the President of the Personal Data Protection Office in more detail ( https://www.uodo.gov.pl/decyzje/DKN.5130.2559.2020%20 ).

We read in it, inter alia , that the violation of the provisions of the GDPR consisted in:

• failure to apply appropriate technical and organizational measures to ensure the ability to ensure the ongoing confidentiality of processing services
• the lack of regular testing, measurement and evaluation of the effectiveness of technical and organizational measures aimed at ensuring the security of personal data processed in the IT system – including the explicitly indicated failure to perform penetration tests of applications allowing to detect the system’s vulnerability to attacks from the public network,
• failure to take into account the risk related to the processing of user passwords in the application in the form of a hash function, which does not provide a sufficient guarantee of security,
• too short storage of system logs and the lack of functioning of the detailed event log in the application.

As part of the risk analysis, who of you takes into account aspects related to the quality of the hash function (password hash), the manner of keeping and the content of administrative and event logs, or the system’s resistance to attacks from the public network? How many Administrators test the actual security, and how many simulate the risk analysis process by entering in the Excel sheet on one side of the table “risk of breach of confidentiality of personal data” and on the other “low risk level”

In most organizations, such a light approach to the risk analysis process results from the lack of appropriate competences and experience. Therefore, I would like to remind you that it is possible to ask for help from external entities specialized in issues related to the protection of personal data and information security, such as Blue Energy.

We invite you to use our services in the field of:

• Audit of GDPR requirements and security
• Application and website testing in terms of security and compliance
• The system supporting the implementation and maintenance of compliance with the requirements – BPM GDPR
• Provision of services of the Data Protection Officer